CISMP Questions Flashcards

Question

Who typically chairs the Security Steering Committee within an organization? A) Chief Executive Officer (CEO) B) Chief Information Security Officer (CISO) C) Chief Financial Officer (CFO) D) Chief Operating Officer (COO)

Answer 1

Answer: B The Security Steering Committee is usually chaired by the Chief Information Security Officer (CISO). This committee serves as a high-level forum to discuss security matters and support the security function within the organization. While other roles such as CEO, CFO, and COO may have involvement or participation in security-related decisions, the CISO is typically responsible for leading the Security Steering Committee.

Answer 2

Answer: B One of the main functions of a Security Steering Committee is to develop information security policies. This committee serves as a forum to discuss and approve documentation such as policies, standards, and procedures related to information security. While the committee may have oversight and involvement in various security-related activities, its primary role is to ensure the development and approval of effective policies that guide security practices within the organization.

Answer 3

Answer: B The role of a Security Steering Committee in information security governance is primarily focused on serving as a centralized authority for approving and overseeing security projects and initiatives. This committee ensures that security efforts align with the organization's objectives, reviews and approves security-related documentation, and provides guidance and direction for security initiatives. While the committee may have oversight and involvement in other security-related activities, its primary responsibility lies in strategic decision-making and governance rather than daily operational tasks or technical support.

Answer 4

D) Promotes a security culture and behaviour change. Explanation: A security awareness training program should aim to create a security culture within the organization. It should not be limited to specific job roles but should be organization-wide. The content should be up to date, relevant, and tailored to the audience, including all staff members. The main objective of the program is to promote a change in behaviour, encouraging individuals to think before they act and to be more vigilant about security risks. By promoting a security culture, organizations can create a collective responsibility for security and improve their overall security posture.

Answer 5

C) It should be tailored to the specific needs and roles of individuals. Explanation: Security awareness training programs should be designed to address the unique needs and roles of individuals within an organization. Different employees have varying levels of access to information assets and face different security risks based on their job responsibilities. Tailoring the training ensures that employees receive relevant and applicable knowledge to their specific roles, increasing the effectiveness of the program. It helps employees understand their personal responsibilities, recognize security threats relevant to their work, and adopt appropriate security behaviours.

Answer 6

A) Making the training mandatory for all employees C) Conducting periodic assessments to measure training effectiveness When implementing a security awareness training program, it is important to make the training mandatory for all employees to ensure widespread participation and consistent knowledge. Additionally, conducting periodic assessments helps measure the effectiveness of the training program and identifies areas that may require further attention or improvement. Customizing the training content for different departments can also be beneficial, but it is not one of the required considerations mentioned in the question. Providing rewards and incentives can be helpful in motivating employees to complete the training, but it is not a universal requirement. Including technical jargon and complex concepts in the training materials may hinder understanding and should be avoided to ensure clear communication.

Answer 7

C) Mandatory requirements imposed by governments or the legal system. Statutory requirements in information security refer to legal obligations that organizations must adhere to as prescribed by laws or regulations set by governments or the legal system. These requirements are not voluntary or optional, but rather mandatory for compliance. Well done!

Answer 8

C) Data protection laws imposed by the government. Statutory requirements in information security refer to legal obligations imposed by government entities or the legal system. Data protection laws, such as the General Data Protection Regulation (GDPR), mandate how organizations should handle and protect personal data. Compliance with these laws is necessary to ensure the organization operates within the legal framework and protects individuals' privacy rights. Well done!

Answer 9

C) Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a statutory requirement in the United States that sets standards for the protection of sensitive patient health information. It specifically applies to the healthcare industry and mandates the secure handling and storage of protected health information (PHI). Compliance with HIPAA is legally required for healthcare organizations and their business associates to ensure the privacy and security of patient data. The other options listed in the question are not jurisdictional statutory requirements. Therefore, the correct answer is C) Health Insurance Portability and Accountability Act (HIPAA) as it represents a jurisdictional statutory requirement in information security. (In the context of information security, jurisdictional statutory requirements may include laws, regulations, or acts that organizations must comply with to ensure the security and protection of data within a specific region. These requirements are legally enforceable and may cover various aspects such as data privacy, data protection, incident reporting, or specific industry regulations.)

Answer 10

D)PCI-DSS PCI-DSS specifically focuses on the security measures for handling payment card transactions.

Answer 11

D) HIPAA, HIPAA is the regulatory standard that governs the protection of healthcare records and ensures the privacy and security of individuals' health information in the United States.

Answer 12

B) They offer advice and suggested practices but are not legally binding. Advisory Requirements provide recommendations and guidance to businesses but do not carry legal obligations or enforceability. They serve as valuable sources of information and best practices for organizations to enhance their security measures.

Answer 13

A) National Cyber Security Centre (NCSC). The NCSC is known for providing advisory requirements and guidance on cybersecurity best practices in the United Kingdom. They act as a computer security incident response team (CSIRT) and provide support to businesses, disseminate information, conduct threat assessments, and offer general technical support in the field of cybersecurity.

Answer 14

A) National Cyber Security Centre (NCSC) The National Cyber Security Centre (NCSC) serves as a CSIRT and provides early warnings of threats, threat assessments, and technical support, making it the most suitable answer.

Answer 15

D) All of the above Government agencies, industry trade bodies, and vendors frequently issue guidance and advice on implementing security measures and dealing with specific events, making all the options correct.

Answer 16

B) ISACA. ISACA stands for Information Systems Audit and Control Association ISACA is an international professional association focused on IT governance and offers certifications in various areas including audit, risk management, privacy, and information security.

Answer 17

C) ISC2 - International Information Systems Security Certification Consortium. ISC2 specializes in training and certification for cybersecurity professionals, and they are well-known for offering the CISSP (Certified Information Systems Security Professional) certification.

Answer 18

C) Procedures Procedures are the documents that outline detailed instructions or steps to be followed when carrying out specific tasks related to information security. They provide specific guidance on how to perform actions in a consistent and secure manner.

Answer 19

A) Policies Policies are high-level documents that establish the overall principles, rules, and expectations for information security within an organization. They outline the goals, objectives, and acceptable behaviours related to information security and serve as a foundation for developing more detailed standards, procedures, and guidelines.

Answer 20

B) A statement of intent and high-level guidance. The Information Security Policy is designed to provide a broad overview and direction for information security within an organization, outlining the business objectives and demonstrating senior management commitment to security. It provides high-level guidance rather than detailed instructions or technical specifications.

Answer 21

B) Acceptable Use Policy. It specifically focuses on defining the acceptable and unacceptable use of an organization's computer systems and networks by its employees and other authorized users. Well done!

Answer 22

D) Compliance with external standards promotes information security commitment. External standards, such as ISO 27001, provide a recognized framework for information security management and demonstrate a commitment to maintaining a robust security posture.

Answer 23

C) Procedures outline step-by-step instructions for carrying out processes. Procedures provide detailed instructions on how to perform specific tasks or processes within an organization, ensuring that they are carried out consistently and in the correct manner.

Answer 24

D) Discretionary information on how something could be achieved. Guidelines in the context of information security documentation provide recommendations or suggestions on how to achieve certain goals or objectives, but they are not mandatory like policies, standards, and procedures.

Answer 25

D) Guidelines offer discretionary information on how something could be achieved. Guidelines provide suggestions, recommendations, or best practices on how to accomplish a task or objective, but they are not mandatory and allow for flexibility in implementation. Well done!

Answer 26

B) To outline the responsibilities of employees in managing company resources. The end user code of practice and acceptable use policy define the expected behaviour and guidelines for employees, contractors, and visitors when using company assets and resources. It helps ensure responsible and secure use of these resources. Well done!

Answer 27

B) Defining the acceptable standards of conduct for end users An Acceptable Use Policy (AUP) is a document that defines the acceptable standards of conduct for end users when using company assets and resources. It outlines the rules and guidelines for appropriate and responsible use of technology within the organization. Well done!

Answer 28

B) Consistently enforcing policies regardless of an employee's position. Policies should apply to all members of staff, regardless of their position within the organization, and the process for dealing with policy violations should be applied equally across the board.

Answer 29

B) Applying consistent enforcement regardless of employee position. It is essential to ensure that policy violations are dealt with consistently and fairly across all levels of the organization, from C-level executives to regular employees. This helps maintain a strong culture of compliance and reinforces the importance of adhering to organizational policies.

Answer 30

B) After a defined time through periodic reviews. Policies should be reviewed after a defined time through periodic reviews to ensure they remain current, relevant, and effective. Well done!

Answer 31

D) When there are changes to working processes, systems, or legal requirements. Policies should be reviewed and updated to reflect any changes that may impact their effectiveness or compliance. Well done!

Answer 32

D) Ensuring alignment with government regulations. Security governance involves ensuring that the organization follows all relevant government regulations, in addition to compliance with internal policies and standards. It includes monitoring and oversight to validate compliance and may involve external accreditation bodies to verify the organization's adherence to security measures.

Answer 33

D) Monitoring and oversight. Monitoring and oversight are essential components of security governance to ensure compliance with legal and regulatory requirements.

Answer 34

D) Audits assess the compliance, effectiveness, and efficiency of security activities and processes.

Answer 35

D) Independent and impartial evaluation of all aspects including technology, processes, and people. An effective audit process should be conducted by an independent entity and cover all relevant aspects of security, including technology, processes, and people, without bias or favouritism.

Answer 36

B) GDPR. GDPR stands for General Data Protection Regulation and it specifically addresses privacy and the transfer of personal data to third parties or other jurisdictions. Well done!

Answer 37

D) SOX. Sarbanes Oxley (SOX) is an industry standard that deals with the financial oversight of publicly listed corporations. It focuses on ensuring the accuracy and reliability of financial reporting and includes provisions for internal controls and audit requirements.

Answer 38

C) Check. In the PDCA cycle, the Check step involves studying the results and comparing them with the expected outcomes to assess whether the objectives and processes are being achieved as planned. Well done!

Answer 39

A) Plan. In the PDCA cycle, the "Plan" step involves establishing the objectives and processes necessary to deliver the expected results. Well done!

Answer 40

D) Periodically re-evaluating risk and continually improving the process Periodically re-evaluating risk and continually improving the process is a key step in implementing an information security framework. It ensures that the framework remains effective and aligned with the changing risk landscape and business requirements.

Answer 41

D) Identifying controls for reducing risk to acceptable levels. Implementing an information security framework involves identifying and implementing appropriate controls to mitigate risks and ensure the security of the organization's information assets.

Answer 42

A) To analyse the gaps between the current state and the desired state. During the gap analysis stage of implementation, the focus is on identifying the gaps or discrepancies between the current state of the organization's security practices and the desired state as defined by the information security framework. This analysis helps in understanding what needs to be done to bridge those gaps and align the organization with the desired security objectives.

Answer 43

D) Realistic and achievable, addresses business needs, reaches objectives within agreed timescales, and provides a return on investment. A successful plan for information assurance is realistic and achievable, addresses the needs of the business, reaches its objectives within agreed timescales, and provides a return on investment. Well done!

Answer 44

B) Tailoring benefits to individual stakeholder requirements. When selling the benefits of a security program, it is important to understand the needs and expectations of different stakeholders and communicate the advantages of the program in a way that resonates with them individually. This approach increases the chances of gaining their support and buy-in.

Answer 45

C) An event that disrupts the normal functioning of the business. In the context of information security, an incident refers to an event that has an adverse impact on the operation of the business, such as a security breach, data breach, physical security breach, or denial of service attack. These incidents disrupt the normal functioning of the business and require appropriate management and response.

Answer 46

C) Planning and preparing for incidents in advance. Incident management involves having predefined procedures, protocols, and plans in place to effectively respond to and manage incidents when they occur. By planning and preparing in advance, organizations can minimize the impact of incidents and mitigate risks effectively.

Answer 47

C) Containment The BCS (British Computer Society) highlights the following steps: Reporting, Investigation, Assessment, Corrective Action, and Review.

Answer 48

D) To evaluate the effectiveness of the incident response and identify areas for improvement The purpose of the "Review" stage in the incident management process is to evaluate the effectiveness of the incident response and identify areas for improvement. It involves analysing the incident, assessing the response actions taken, and determining if any changes or enhancements are needed to prevent similar incidents in the future.

Answer 49

C) Privacy issues with personal data. Privacy regulations and requirements can vary from one jurisdiction to another, so organizations need to ensure they comply with the specific privacy laws and regulations applicable in the regions where they operate. Well done!

Answer 50

D) Trademarks and patents. Intellectual property refers to creations of the mind, such as inventions, artistic works, designs, symbols, and names used in commerce. Trademarks and patents are specific types of intellectual property that are protected by legal frameworks to prevent unauthorized use or copying.

Answer 51

C) Common law In the context of UK and international law, common law refers to a legal system based on the law of precedence. It is predominantly a jury-based system, where decisions and interpretations of the law are influenced by previous court rulings. Under common law, judges have the authority to make legal decisions and set legal precedents that other courts can follow in similar cases.

Answer 52

C) GDPR (General Data Protection Regulation). GDPR is a regulation that was implemented by the European Union to protect the personal data and privacy of individuals within the EU. It establishes guidelines for the collection, processing, and storage of personal data by organizations. GDPR imposes strict requirements on organizations, including the need to obtain explicit consent for data processing, the right to access and delete personal data, and the obligation to implement appropriate security measures. It applies to all EU member states and has extraterritorial reach, meaning that it also applies to organizations outside the EU that handle the personal data of EU citizens.

Answer 53

B) HIPAA (Health Insurance Portability and Accountability Act). HIPAA is a regulation in the United States that sets standards for protecting sensitive patient health information, ensuring its privacy and security. It applies to entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. The primary goal of HIPAA is to safeguard the confidentiality, integrity, and availability of protected health information (PHI) while allowing for the necessary exchange of healthcare data.

Answer 54

A) Security. The principle of security states that personal data should be processed in a manner that ensures appropriate security, integrity, and confidentiality of the data. This means implementing measures to protect the data from unauthorized access, disclosure, alteration, or destruction. Security measures may include encryption, access controls, secure storage, and regular security assessments.

Answer 55

B) Purpose limitation. The principle of purpose limitation states that personal data should be collected for a specific and legitimate purpose and should not be further processed in a manner that is incompatible with those purposes. Data minimization (option C) refers to collecting only the necessary and relevant data, while purpose limitation specifically focuses on the purposes of data processing.

Answer 56

C) Security The principle that emphasizes the importance of handling personal data securely and implementing appropriate technical measures is the principle of "Security." Well done!

Answer 57

C) Gaining unauthorized access to a computer system with the intention to steal sensitive data. Gaining unauthorized access to a computer system with the intention to steal sensitive data is considered a violation of the Computer Misuse Act 1990 in the UK. This act prohibits unauthorized access, hacking, and misuse of computer systems without authority

Answer 58

A) Identity theft

Answer 59

A) Unauthorized access to a computer system. This is considered an offense under computer misuse legislation, as it involves accessing a computer system without proper authorization or permission.

Answer 60

C) Legal requirements and industry regulations. When defining a data retention policy, it is crucial to consider the legal requirements and regulations specific to the industry in which the company operates. Compliance with applicable laws ensures that the company retains data for the required duration and avoids any legal consequences.

Answer 61

D) The sensitivity and classification of the data. When implementing a data retention policy, it is important to consider the sensitivity and classification of the data. Different types of data may have different retention requirements based on their sensitivity and the legal or regulatory obligations associated with them. By considering the sensitivity and classification of the data, organizations can ensure that appropriate retention periods and security measures are applied to protect the data effectively.

Answer 62

C) Trade secrets. Trade secrets protect confidential information that gives a business a competitive edge, such as formulas, processes, customer lists, or other valuable proprietary information. Well done!

Answer 63

B) Trademark. Trademarks are specifically designed to protect the visual identification of a product or organization, such as logos, symbols, or specific designs that help distinguish a brand from others in the market.

Answer 64

B) Duration of the contract and payment terms.

Answer 65

C) To ensure that sensitive information shared between the parties remains confidential. Including a confidentiality clause in a contract helps protect the sensitive information exchanged between the parties involved. It establishes the obligation for both parties to maintain the confidentiality of any proprietary or confidential information disclosed during the course of their business relationship. This clause helps safeguard trade secrets, customer data, intellectual property, and other confidential information from unauthorized disclosure or misuse.

Answer 66

C) ISO (International Organisation for Standardisation). ISO is responsible for developing a wide range of standards, including ISO 27001 for Information Security Management System.

Answer 67

D) ISO (International Organisation for Standardisation) ISO, specifically ISO/IEC 27001 and ISO/IEC 27002, provides internationally recognized standards and guidelines for information security management systems (ISMS) and best practices for information security and risk management. These standards provide organizations with a framework to establish, implement, maintain, and continually improve their information security controls and processes. ISO/IEC 27001 is focused on the requirements for establishing an ISMS, while ISO/IEC 27002 provides guidance on implementing specific information security controls.

Answer 68

A) EAL 7. EAL 7 represents the highest level of evaluation in the Common Criteria for product certification. It involves formal design review and testing, indicating a more thorough evaluation process. EAL 1 represents the lowest level, focusing on pure functionality, while EAL 4 is a commonly accredited level for modern operating systems and firewalls. ISO 15408 is the standard that embodies the Common Criteria.

Answer 69

D) EAL 7. EAL 7 involves formally verified design and testing.

Answer 70

D) EAL 4 EAL 4 involves methodical design, testing, and review of the product. EAL 1 is functionally tested, EAL 3 is methodically tested and checked, and EAL 5 is semi-formally designed and tested. EAL 4 is a higher level that includes comprehensive design, testing, and review processes.

Answer 71

B) EAL 3 EAL 3: Methodically tested and checked.

Answer 72

A) IETF (Internet Engineering Task Force) -IETF (Internet Engineering Task Force): Develops and promotes standards for the Internet. The standards are documented in RFCs (Request for Comment), which cover various aspects of Internet protocols and technologies.

Answer 73

A) ITU (International Telecommunications Union) ITU (International Telecommunications Union): Responsible for technical specifications in information and communications technologies. ITU-T deals with telecommunications and defines standards using numerical titles, such as X.500 for Directory Services and X.509 for Digital Certificates.

Answer 74

C) NIST. The National Institute of Standards and Technology (NIST) is an American non-regulatory body that provides guidance and best practices for American commercial organizations.

Answer 75

C. Content reviews Alyssa can put in place content reviews (option C) as a control to protect against the risk of outdated security awareness program content. Content reviews involve regularly evaluating and updating the program's materials, resources, and training materials to ensure they remain relevant and aligned with current technology trends and security practices. This control allows Alyssa to identify any outdated or inaccurate information and make necessary updates to keep the security awareness program up to date. While options A, B, and D (gamification, computer-based training, and live training) are methods or approaches that can be used within a security awareness program, they do not directly address the specific risk of content becoming outdated. Content reviews are specifically focused on evaluating and updating the content itself to ensure its accuracy and relevance.

Answer 76

B. Residual risk Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied.

Answer 77

E. Evaluated against the Common Criteria When choosing a technical product to protect classified information, it is best to select one that has been evaluated against the Common Criteria. The Common Criteria is an internationally recognized standard for evaluating the security capabilities of information technology products. It provides a framework for assessing the security features and assurance levels of these products. While other options mentioned in the question may also be important considerations, such as industry ratings, ISO27000 certification, recommendations by IT professionals, or guarantees, the Common Criteria evaluation holds particular significance when it comes to security products for classified information. It ensures that the product has undergone rigorous testing and evaluation to meet specific security requirements and standards.

Answer 78

A. A message digest calculated from a set of data A hash function is a mathematical algorithm that takes an input (data) and produces a fixed-size string of characters, which is often referred to as a "hash" or "message digest." The purpose of a hash function is to provide a unique representation of the input data. Even a small change in the input will produce a significantly different hash value. Hash functions are commonly used in various areas, such as data integrity checks, password storage, digital signatures, and data indexing.

Answer 79

A. Bobs Private Key Bob can use his private key to digitally sign the email, which creates a digital signature unique to him. The digital signature ensures the integrity of the email, as any modifications to the email would invalidate the signature.

Answer 80

B) Code which is maliciously introduced into executable code. A Trojan Horse refers to malicious software that appears to be legitimate or harmless but contains hidden malicious code or functionality. It is named after the ancient Greek story of the Trojan Horse, where a deceptive wooden horse was used to gain access to the city of Troy. Trojans are typically disguised as legitimate files or programs and are often spread through social engineering techniques, such as email attachments, software downloads, or deceptive links. Once the Trojan is executed, it can perform various malicious activities, such as stealing sensitive information, modifying or deleting files, providing unauthorized access to the system, or facilitating further attacks. Option B accurately describes the nature of a Trojan Horse, as it involves the malicious introduction of code into executable files or programs. The other options, such as a boot sector virus (A), code triggered by certain times or events (C), a virus that moves autonomously across a system (D), or a backdoor into a system (E), do not specifically capture the characteristics of a Trojan Horse.

Answer 81

D) Identification and Prioritization of critical business processes. In the BCP (Business continuity planning) process, it is crucial to identify and prioritize the critical business processes within an organization. This involves analysing and understanding the dependencies, interconnections, and impact of each process on the overall functioning of the business. By identifying critical processes, organizations can allocate appropriate resources, develop strategies for their continuity, and prioritize recovery efforts in case of disruptions or disasters.

Answer 82

C) Senior Executives. Gaining support from senior executives is essential for the successful implementation of Information Security Standards within an organization. Senior executives hold the authority and influence to allocate resources, set priorities, and make decisions that impact the organization as a whole. Their support is vital in establishing a culture of security, ensuring the necessary budget and resources are allocated, and driving the implementation of security standards throughout the organization.

Answer 83

A) When local legislation determines it as a requirement. The reporting of security incidents to law enforcement agencies is typically determined by local legislation and regulations. Many countries have laws that mandate the reporting of certain types of security incidents, especially those involving significant breaches, data theft, cyberattacks, or illegal activities. It is important for organizations to be aware of and comply with applicable laws and regulations regarding incident reporting. Failure to report incidents as required by law may result in legal consequences, penalties, or other adverse outcomes.

Answer 84

B) The Employer. In general, when an employee develops an application during company working hours, even if it is relevant to the business but not directly related to their employment, the intellectual property rights are often assigned to the employer. This is because the work was created within the scope of employment and is considered a "work made for hire." As such, the employer typically holds the rights to any intellectual property created by employees as part of their job responsibilities or during company time. It's important to note that intellectual property laws and employment agreements can vary, so it is always advisable for employees and employers to refer to specific contracts, policies, and local laws to determine the ownership of intellectual property rights in such situations. Consulting with legal professionals is recommended to ensure a clear understanding of rights and obligations related to intellectual property ownership.

Answer 85

D) Business Impact Analysis. A Business Impact Analysis (BIA) assesses the potential impact of a threat or incident on critical business operations, processes, and objectives. By evaluating the potential consequences, such as financial losses, operational disruptions, reputational damage, regulatory non-compliance, or harm to human safety, a BIA helps prioritize threats based on their potential impact. The severity of the threat's potential impact on the organization's ability to function and achieve its goals will often determine the priority given to addressing it. Threats that pose a higher risk to critical business functions or have the potential for significant negative consequences will typically be treated with a higher priority.

Answer 86

B) Request a User ID and Password to enable logon rights. Requiring a user to provide a valid User ID and Password is a common method for authenticating users and granting access to a computer operating system. The user is prompted to enter their unique User ID (username) and a corresponding password that verifies their identity. If the provided credentials match the authorized user's information stored in the system, access is granted.

Answer 87

E) Information Security Team, System Developers, and relevant Operational Staff. The development of System Security Test and Evaluation Plans typically involves collaboration between multiple stakeholders to ensure comprehensive coverage and effective evaluation of the system's security. The Information Security Team, System Developers, and relevant Operational Staff all play important roles in this process. The Information Security Team is responsible for assessing and managing the security risks associated with the system. They have the expertise to identify the necessary security controls, define testing requirements, and ensure that the system meets the desired security objectives. The System Developers are responsible for designing and implementing the system. They have in-depth knowledge of the system architecture, functionality, and potential vulnerabilities. Their input is crucial in identifying the areas that require testing and evaluation. The relevant Operational Staff, such as system administrators or end-users, have operational insights and understand the practical aspects of using the system. Their involvement ensures that the test and evaluation plans align with the system's operational requirements and real-world scenarios.

Answer 88

A) So that users understand the level of Confidentiality C) So that users understand how to dispose of the document E) So that users understand the contents of the document

Answer 89

A) Assurance. Assurance is the concept that describes the amount of confidence an organization has in the effectiveness and adequacy of its security controls to meet the necessary security requirements. It is about having trust and belief that the implemented controls are operating as intended and providing the desired level of security. Assurance is achieved through various activities such as security testing, audits, assessments, and evaluations. These processes help evaluate the effectiveness of controls, identify any vulnerabilities or weaknesses, and ensure that the organization's security requirements are being met. By having assurance in the security controls, organizations can have greater confidence in the protection of their assets, data, and systems, reducing the risk of security breaches and maintaining the desired security posture.

Answer 90

C) Defence in Depth. Defence in Depth is the information security principle that requires an organization to implement overlapping security controls wherever feasibly possible. This principle emphasizes the use of multiple layers of security controls to provide a more robust and effective defence against potential threats and attacks. By implementing overlapping security controls, an organization adds redundancy and diversity to its security measures. This approach ensures that even if one control fails or is bypassed, there are additional layers of defence in place to mitigate risks and protect the organization's assets and information. Defence in Depth helps to minimize the likelihood of a single point of failure and provides a comprehensive security strategy that addresses various attack vectors and vulnerabilities. It involves a combination of technical controls, policies, procedures, and awareness programs to create a layered defence approach. Overall, implementing overlapping security controls based on the principle of Defence in Depth enhances the organization's overall security posture and increases the difficulty for adversaries to breach the system or gain unauthorized access.

Answer 91

A) Understanding that different countries have differing legislation with respect to how information can be handled With the increasing global operation of corporate organizations, understanding the differing legislation in different countries regarding information handling is likely to be the more important consideration for information security. This is because each country may have its own specific laws and regulations regarding data protection, privacy, and security. By understanding and complying with the applicable legislation in each country of operation, organizations can ensure that they handle information in a manner that is legally compliant and aligned with the specific requirements of each jurisdiction. This may include considerations such as data storage, data transfer, consent requirements, breach notification, and other relevant aspects. Failure to comply with the applicable legislation in any country can lead to legal and regulatory consequences, reputational damage, and loss of customer trust. Therefore, understanding and adhering to different countries' legislation is crucial for maintaining strong information security practices and ensuring compliance in the global operating environment of corporate organizations.

Answer 92

B) The policy must be integral to all areas of an organization When drafting a company's information security policy, an important consideration is that the policy should be integral to all areas of the organization. Information security is a collective responsibility that involves all employees, departments, and functions within the organization. Therefore, the policy should reflect this by being inclusive and applicable to everyone. Having the information security policy integrated throughout the organization helps to create a culture of security awareness and promotes consistent implementation of security practices. It ensures that all employees understand their roles and responsibilities in protecting the organization's information assets and helps to establish a strong security posture across the board. By making the policy integral to all areas of the organization, it becomes a guiding framework for decision-making, risk management, and day-to-day operations related to information security. This helps to minimize security vulnerabilities, maintain compliance with relevant standards and regulations, and protect the organization's valuable data and resources.

Answer 93

D) The removal of confidential information from desks reduces the chances of opportunistic theft and keeps it available to the business. An organization's "clear desk" policy can be seen as a good example of "security as an enabler" because it enhances security while enabling the smooth functioning of the business. By implementing a clear desk policy, confidential information and sensitive documents are removed from desks when not in use, reducing the chances of opportunistic theft. This security measure ensures that sensitive information remains protected and confidential, mitigating the risk of unauthorized access and data breaches. It also contributes to maintaining compliance with data protection regulations and standards. Furthermore, by keeping desks clear of confidential information, it becomes readily available to the business and authorized individuals who require access to it. This promotes efficiency, productivity, and collaboration within the organization. Overall, the "clear desk" policy not only improves security but also enables the organization to maintain a well-organized work environment, enhances compliance with data protection laws, and supports the smooth operation of day-to-day activities.

Answer 94

D) Corporate Board The ultimate responsibility for risk management, as strengthened by legislation such as the Sarbanes-Oxley Act and the Companies Act, lies with the Corporate Board. The board of directors of an organization holds the highest level of responsibility for overseeing and managing risk-related matters within the company. They are accountable for establishing risk management strategies, setting risk appetite, ensuring compliance with applicable laws and regulations, and making critical decisions regarding risk mitigation and governance. While other roles, such as IT managers, IT security teams, and supervisors, may play important roles in implementing and supporting risk management initiatives, the ultimate responsibility rests with the Corporate Board as they have the authority and fiduciary duty to protect the organization's interests and ensure sound risk management practices are in place.

Answer 95

A) All staff From an information assurance perspective, ensuring the security of information is not solely the responsibility of a specific department or role. It is a collective responsibility that extends to all staff members within the organization. Every individual, regardless of their position or role, has a role to play in protecting information assets, following security policies and procedures, and being vigilant against potential security risks. Regarding the "security culture" perspective, fostering a culture of security within the organization is a shared responsibility among all staff members. This involves promoting security awareness, training employees on security best practices, encouraging reporting of security incidents, and actively participating in maintaining a secure work environment. While roles such as the IT department, Chief Executive Officer (CEO), and Data Protection Officer (DPO) may have specific responsibilities related to information security, the overall responsibility for information security is shared by all staff members to ensure a comprehensive and effective security posture throughout the organization.

Answer 96

D) A disgruntled employee destroying backup files Anyone deliberately destroying property or data is never an accident.

Answer 97

C) Risk = Impact * Likelihood The relationship that best describes how a risk is determined is that the risk is equal to the impact multiplied by the likelihood. In risk assessment and management, the impact refers to the potential harm or damage that could result from a threat exploiting a vulnerability, while the likelihood represents the probability or chance of the threat actually occurring. Multiplying these two factors together provides a measure of the overall risk associated with a specific threat scenario. By considering both the potential impact and the likelihood, organizations can prioritize and allocate resources to effectively manage and mitigate risks.

Answer 98

B) Compromised supplier connected to an organization's order system

Answer 99

C) In the database connected to the organization's ecommerce website When customer PII has been stolen from an organization's online store using SQL Injection, the vulnerability that led to this exploit is typically found in the database connected to the organization's ecommerce website. SQL Injection is a type of attack that exploits vulnerabilities in the way user inputs are handled in SQL queries. Attackers can inject malicious SQL code through user inputs, tricking the application into executing unintended database commands. If the website's database is not properly secured or does not have sufficient input validation and sanitization mechanisms in place, it becomes susceptible to SQL Injection attacks, leading to unauthorized access and theft of sensitive information such as customer PII.

Answer 100

A) Loss of confidence by financial investors When a financial institution experiences a cyberattack, it can result in a loss of confidence by financial investors. Cyberattacks can undermine trust in the institution's security and ability to protect sensitive financial information. Investors may become concerned about the potential risks and vulnerabilities associated with the institution's systems and operations. This loss of confidence can have significant impacts on the institution's reputation, financial stability, and future investment prospects.

Answer 101

A) Identify, Analyse, Treat, and Monitor The four main components of a risk management process, in the correct life-cycle order, are: Identify: This involves identifying and recognizing potential risks and threats to the organization. Analyse: Once risks are identified, they need to be analysed to understand their likelihood, potential impacts, and vulnerabilities. Treat: After analysis, appropriate risk treatment strategies are implemented to mitigate or manage the identified risks. Monitor: The risk management process should include ongoing monitoring and evaluation of the effectiveness of the implemented risk treatments, as well as the identification of new risks that may emerge. This life-cycle order ensures a systematic and proactive approach to risk management, starting from risk identification, moving to analysis and treatment, and finally incorporating continuous monitoring to adapt and respond to changing risk landscapes.

Answer 102

C) Statistical chance of another attack recurring In a quantitative risk assessment, various factors are considered to determine the likelihood and impact of a denial of service threat to an information system. One of the important pieces of evidence in this assessment is the statistical chance of another attack recurring. This involves analysing historical data and trends related to denial of service attacks to assess the probability of a similar attack happening again. By examining past occurrences and patterns, organizations can gain insights into the likelihood of future attacks and incorporate this information into their risk assessment process.

Answer 103

C) Encrypting the data Encrypting the data strongly enough means that even if the data is lost it is potentially impossible to actually understand it. (Risk Mitigation: The act of applying controls to reduce risk, sometimes called modification or risk reduction.)

Answer 104

B) Qualitative The risk assessment approach that uses a risk matrix mapping risk likelihood against impact, typically represented as a 2x2, 3x3, or up to 5x5 sectors representing low, medium, or high risk levels, is the qualitative risk assessment. In qualitative risk assessment, risks are assessed based on subjective judgments rather than precise numerical values. The risk matrix provides a visual representation of the risk levels, allowing for a quick and intuitive understanding of the overall risk profile. The likelihood and impact of each risk are typically categorized into qualitative descriptors, such as low, medium, or high, and are then mapped onto the risk matrix to determine the risk level. This approach is useful for organizations that prioritize risk management based on general risk levels and do not require precise quantitative measurements. Qualitative Risk Assessment: A subjective form of risk assessment that does not use specific values. May use words such as low, medium, high. Quantitative Risk Assessment: an objective form of risk assessment based upon numerical values.

Answer 105

C) Impact When conducting a qualitative risk assessment, the two most important risk elements that should form a major part of the analysis are likelihood and impact. Likelihood refers to the probability or chance of a risk event occurring, while impact refers to the potential consequences or severity of that event if it were to occur. Assessing the likelihood and impact of risks allows organizations to prioritize and focus their efforts on addressing the most significant and potentially harmful risks. By understanding the likelihood of a risk event happening and the potential impact it could have on the organization, appropriate risk management strategies can be developed to mitigate or minimize the negative effects.

Answer 106

A) Single Point of Responsibility for Information Assurance One of the key reasons for appointing a Chief Information Security Officer (CISO) at the Boardroom level is to establish a single point of responsibility for information assurance. The CISO is responsible for overseeing the organization's information security program, including the development and implementation of policies, procedures, and controls to protect the organization's information assets. By having a dedicated CISO at the Boardroom level, there is clear accountability and authority for information security matters. This helps ensure that information security is given the necessary attention and priority at the highest level of the organization and that it is integrated into strategic decision-making processes. The CISO's role is crucial in managing and mitigating information security risks and aligning security initiatives with business objectives.

Answer 107

A) PCI-DSS In the given scenario, where the e-commerce company has experienced a data breach on its credit card payment systems, the first priority for the company's compliance audit would likely be the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a set of security standards established by major credit card companies to ensure the protection of cardholder data. It outlines specific requirements for organizations that handle credit card transactions, including measures for securing payment systems, protecting customer data, and maintaining a secure network infrastructure. Given the nature of the data breach in the scenario, ensuring compliance with PCI-DSS would be crucial to address any vulnerabilities, protect customer information, and demonstrate adherence to industry security standards.

Answer 108

C) A policy sets out what needs to be done - a standard sets out how the policy should be implemented The main difference between a security policy and a standard is that a policy outlines the objectives, goals, and requirements for information security within an organization, specifying what needs to be done to achieve a secure environment. On the other hand, a standard provides more specific and detailed guidance on how the policy should be implemented. Standards define the specific technical and operational measures, procedures, and controls that need to be followed to meet the requirements outlined in the policy. In summary, the policy sets the "what" of information security, while the standard defines the "how."

Answer 109

D) Corrective Action In the incident response process, the phase that involves designing new security controls to prevent the reoccurrence of a previous incident is the Corrective Action phase. This phase focuses on addressing the root causes and vulnerabilities that led to the incident. The security administrator, along with relevant stakeholders, will analyse the incident, identify the weaknesses in the existing security measures, and develop and implement corrective actions to mitigate those vulnerabilities. This may involve designing and implementing new security controls, updating policies and procedures, enhancing training programs, or implementing technical solutions to strengthen the overall security posture of the organization. The goal is to prevent similar incidents from happening in the future by addressing the underlying issues and improving the organization's overall security resilience.

Answer 110

D) Log of recent security incidents When developing an information security strategy, a log of recent security incidents would not typically be a direct consideration. While the organization can learn from past incidents to improve security measures, the focus of developing a strategy is on proactive planning and prevention rather than reacting to specific incidents. The strategy would typically address preventive measures, risk assessment, compliance requirements, emerging threats, and other proactive considerations rather than being solely based on the log of recent security incidents.

Answer 111

B) Illegal interception of information From a legal perspective, illegal interception of information is considered to be a misuse of a computer. This refers to unauthorized access to someone else's data or communications without their consent or lawful authority. It is a violation of privacy and often a criminal offense, as it involves unauthorized access and potential misuse of sensitive information. The specific laws and regulations regarding illegal interception may vary by jurisdiction.

Answer 112

A) When a statement is included in the organization's information assurance policy or employee's contract of employment Under certain circumstances, it may be legal for an employer to monitor an employee's online communication if there is a clear statement in the organization's information assurance policy or the employee's contract of employment explicitly stating that such monitoring may occur. This ensures that employees are aware of the possibility of monitoring and provides a legal basis for the employer to conduct such monitoring. It is important for organizations to follow applicable laws and regulations regarding employee privacy and data protection when implementing monitoring practices.

Answer 113

B) Any digital forensics investigator handling digital evidence must be competent to do so The principle that any digital forensics investigator handling digital evidence must be competent to do so is considered best practice for several reasons: Preservation of integrity: Digital evidence is often fragile and susceptible to alteration or damage. Competent investigators are trained to handle and preserve digital evidence without compromising its integrity. They understand the proper procedures for acquiring, documenting, and analysing digital evidence while minimizing the risk of unintentional changes or tampering. Admissibility in court: In legal proceedings, digital evidence must meet certain standards of admissibility. Courts require that evidence is collected and handled by qualified individuals who can demonstrate their expertise and adherence to recognized forensic practices. Having competent investigators ensures that the evidence can withstand scrutiny in court and increases the likelihood of its acceptance as valid and reliable. Accuracy and reliability: Competent investigators possess the necessary knowledge and skills to perform thorough and accurate examinations of digital evidence. They understand the technical aspects involved in data recovery, analysis, and interpretation. Their expertise helps ensure that the evidence is properly understood, evaluated, and presented, enhancing its reliability and credibility. Chain of custody: Competent investigators are well-versed in maintaining a proper chain of custody for digital evidence. They document each step of the handling process, including its collection, storage, and transportation, to ensure its integrity and prevent any claims of tampering or mishandling. A reliable chain of custody strengthens the evidentiary value of the digital evidence and maintains its credibility in court. By adhering to the principle that only competent digital forensics investigators should handle digital evidence, organizations and legal authorities can ensure the preservation, reliability, and admissibility of the evidence in legal proceedings.

Answer 114

B) Restrictions on the transmission of symmetric and/or asymmetric keys over communication networks When transferring encrypted information or cryptography-based tools between legal jurisdictions, it is essential to consider various factors to ensure compliance with regulations and legal requirements. Restrictions on the transmission of encryption keys over communication networks are a critical factor to be considered. Encryption keys are crucial for decrypting encrypted information, and their transmission can pose security risks if not properly regulated. Many countries have specific laws and regulations governing the transmission of encryption keys to prevent unauthorized access to sensitive information. Therefore, understanding and complying with the restrictions related to the transmission of encryption keys is an important consideration during the transfer process. By adhering to these regulations, organizations can ensure the secure transfer of encrypted information and cryptography-based tools while complying with the legal requirements of different jurisdictions.

Answer 115

C) Copyright law. Copyright law grants exclusive rights to the creator or owner of the software, including the right to reproduce, distribute, and control derivative works. By obtaining copyright protection, the software's source code is legally protected, and unauthorized copying or use can be addressed through legal action.

Answer 116

C) ISO. ISO (International Organization for Standardization) is a standards body that develops and publishes international standards. ISO 27001 is the standard specifically related to information security management systems (ISMS).

Answer 117

D) IETF (Internet Engineering Task Force) Internet Engineering Task Force produce standards called RFC’s on IP and associated applications. The Internet Engineering Task Force (IETF) is responsible for publishing technical standards and protocols that ensure interoperability of internet protocols and applications. It is a global community of network designers, operators, vendors, and researchers who work together to develop and evolve internet standards. The standards produced by the IETF play a crucial role in enabling different devices, networks, and applications to communicate and function effectively on the internet. These standards are open and freely available, allowing for widespread adoption and implementation across various platforms and systems.

Answer 118

B) ISO15408 ISO15408 in its entirety is meant to be used as the basis for evaluation of security properties of IT products. ISO15408, commonly referred to as Common Criteria, is an internationally recognized standard for evaluating the security functions of IT products. It provides a framework for assessing the security features and capabilities of various software and hardware components. The goal of Common Criteria is to ensure that IT products meet specific security requirements and offer sufficient protection against potential threats. Common Criteria employs a rigorous evaluation process that involves testing and analysis to determine if the security mechanisms implemented in the product are reliable and effective. It considers various aspects such as access control, authentication, data protection, and secure communication. The evaluation is performed by independent and accredited evaluation laboratories. By adhering to the Common Criteria standard, organizations can have confidence in the security of the IT products they procure. It helps ensure that the products meet specific security requirements and can be trusted to handle sensitive information securely. Common Criteria provides a consistent and internationally recognized approach to assessing the security of IT products, making it an essential framework for evaluating the design and implementation of security functions.

Answer 119

B) ISO/IEC13335 ISO/IEC 13335 covers the concepts and models fundamental to a basic understanding of IT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of IT security. ISO/IEC 13335 is an international standard that specifically deals with the management of IT security, focusing on the technical security control measures. It provides guidance on the implementation of security controls, risk assessment, and security incident management. This standard helps organizations establish and maintain effective security practices to protect their information assets. It covers a wide range of topics related to IT security, including network security, system security, application security, and security operations. ISO/IEC 13335 is widely recognized and used by organizations worldwide as a reference for implementing effective IT security measures.

Answer 120

A) ITIL ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL (Information Technology Infrastructure Library) is a widely recognized framework for IT Service Management. It provides guidance and best practices for managing IT services, including processes such as configuration management, change control, and service level agreements.

Answer 121

B) Create, Store, Retrieve, Use, Remove The life span of data/information expressed in the five phases of creation, storage, retrieval, use and final disposition. CSUSAD: Create – just another word for acquisition Store – stored upon a disk or other persistent medium Use – we use it, process it as part of our job Share – we may share it with others -securely Archive – a different one, at the end of its working life we may need to retain the data so we store it in archive where we can retrieve it when necessary Destroy – this can be at end of life or after the retention period in the archive has expired

Answer 122

D) Printing a document To print a document, the information has already been created. Printing a document is not a form of generating or acquiring information as part of the information lifecycle. It is a process of producing a physical copy of existing digital or physical information. In the context of the information lifecycle, the stages typically involve creating or generating information, storing or capturing it, retrieving or accessing it, and using or processing it. Printing a document is a means of output or dissemination rather than a method of generating or acquiring new information.

Answer 123

C) Sending a tweet advertising an event Tweeting information is publishing the data to a wider audience.

Answer 124

A) Software Development, Quality Assurance, and Operations The DevOps model emphasizes collaboration and integration between software development teams, quality assurance teams, and operations teams. Software Development involves the creation and coding of software applications and systems. Quality Assurance (QA) focuses on testing and ensuring the quality and functionality of the software. Operations involve the deployment, monitoring, and maintenance of the software in production environments. By combining these three components, the DevOps model aims to streamline the software development lifecycle, improve communication and collaboration, and enhance the overall efficiency and reliability of software delivery.

Answer 125

D) Technology, data, application, and business The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. It is typically modelled at four levels: Business, Application, Data, and Technology. The four architecture domains commonly accepted in the overall enterprise architecture supported by TOGAF are: Technology: This domain focuses on the hardware, software, and technology infrastructure required to support the organization's operations. It includes defining technology standards, platforms, and infrastructure components. Data: This domain deals with the management and governance of data within the organization. It includes data modelling, data architecture, data governance, and data management practices. Application: This domain addresses the design, development, and management of software applications that support the organization's business processes. It includes application architecture, application portfolio management, and application integration. Business: This domain focuses on understanding the organization's business strategy, goals, processes, and organizational structure. It includes defining business functions, business capabilities, and business processes. These four domains provide a holistic approach to enterprise architecture, covering technology, data, applications, and business aspects. They help organizations align their IT systems with business objectives, ensure efficient data management, enable effective application development, and support overall business operations.

Answer 126

B) Change Control Change control is a process used to manage and control changes to a system or environment. In the given scenario, the organization should adopt the change control process to ensure that the firewall rules are thoroughly tested before deployment on a production system. Change control involves a systematic approach to reviewing, approving, and implementing changes. It typically includes steps such as documenting the proposed changes, assessing the potential impact of the changes, obtaining approvals from relevant stakeholders, testing the changes in a controlled environment, and implementing the changes in a controlled manner. By following the change control process, the organization can ensure that any new firewall rules are properly tested before being deployed in a production system. This helps identify and address any access problems or compatibility issues that may arise due to the changes. It also helps maintain the stability and security of the system by ensuring that changes are properly reviewed and controlled.

Answer 127

A) Audit Logging Audit logging is a logging mechanism that captures and records security-related events and actions, providing a detailed record of activities for review and analysis. It helps track and monitor user activities, system changes, and access attempts, allowing administrators to investigate and analyse events related to remote console connections. By enabling audit logging, the administrator can track and review information such as who accessed the console, when the access occurred, and any actions performed during the session. This information can be crucial for security analysis, troubleshooting, compliance, and forensic purposes. Other logging forms mentioned in the options, such as flow logging, route logging, and trace logging, are more focused on specific network operations or data flow analysis and may not provide the detailed information required for monitoring remote console connections. Audit logging, on the other hand, is specifically designed for capturing security-related events and is well-suited for monitoring and analysing console connection activities.

Answer 128

A) Open source Open source software refers to software programs that provide the complete source code to the public, allowing anyone to view, modify, and distribute it freely. Open source software is typically developed in a collaborative manner by a community of developers who contribute to its improvement. This openness encourages transparency, innovation, and collaboration among developers. Users have the freedom to inspect, modify, and distribute the software according to their needs. Examples of popular open source software include Linux operating system, Apache web server, and the Firefox web browser.

Answer 129

C) Dynamic Testing Dynamic Testing is a methodology that involves testing an application or system by executing it and observing its behaviour in real-time. It focuses on evaluating the system's response to inputs and interactions, without requiring knowledge of the underlying source code or vulnerabilities. This type of testing simulates real-world usage scenarios to identify issues such as functional errors, performance bottlenecks, security vulnerabilities, and other behaviour-related problems. It is particularly effective in uncovering runtime issues that may not be apparent during static analysis or code review.

Answer 130

D) Risk that in-house development routines have not been patched When using third-party libraries in software development, there are several risks associated with them. Let's analyse each option: A) Risk that malware toolkits can be written into untrusted libraries: Third-party libraries may contain malicious code or vulnerabilities that can introduce malware into the application. B) Risk that common cryptographic routines may reveal secure data: Third-party libraries may implement cryptographic algorithms incorrectly, leading to security vulnerabilities that could compromise the confidentiality of sensitive data. C) Risk that software libraries have not been tested by the user community: Third-party libraries may lack proper testing and validation, increasing the likelihood of undiscovered bugs or vulnerabilities. D) Risk that in-house development routines have not been patched: This option does not directly relate to the use of third-party libraries. It refers to the organization's internal development routines and the need to keep them up to date with necessary patches and updates. Therefore, option D is the one that is NOT specifically associated with using third-party libraries.

Answer 131

A) Security clearance and vetting. Explanation: When an employer wants a high degree of confidence in the trustworthiness of an individual who will be handling confidential data, the process of security clearance and vetting is typically adopted. This involves conducting background checks, verifying credentials, and assessing the individual's trustworthiness, integrity, and reliability. Security clearance may involve various levels depending on the sensitivity of the data being handled. By implementing security clearance and vetting procedures, employers can mitigate the risk of unauthorized access, data breaches, and insider threats.

Answer 132

A) Contract of Employment. The contract of employment is a legal document that outlines the terms and conditions of employment between the employer and the employee. It typically includes clauses related to the employee's responsibilities, including their responsibilities regarding information security. The contract of employment sets the expectations and obligations of both parties and serves as a legally binding agreement. Therefore, it is the document that should be the final arbitrator when considering an employee's personal responsibility for information security. The other options, such as the annual tax return, service level agreement, and acceptable use policy, may be relevant in certain contexts but do not have the same legal weight and authority as the contract of employment.

Answer 133

B) Segregation of Duties. Segregation of Duties is a principle in information security and internal control that aims to prevent conflicts of interest and ensure accountability. It involves distributing tasks and associated privileges among multiple individuals to create a system of checks and balances. By separating key administrative tasks and responsibilities, no single individual has complete control or authority over critical functions, reducing the risk of fraud, errors, and unauthorized activities. This helps to ensure that no single person can abuse their privileges or manipulate systems for malicious purposes.

Answer 134

C) An employee's individual contractual hours. The End User Code of Practice typically focuses on guidelines and expectations related to the use of technology, security practices, and acceptable behaviour within the organization. It is not directly related to an employee's contractual hours, which are usually governed by employment contracts or policies separate from the code of practice. The other options (A, B, and D) are all relevant topics for inclusion in an End User Code of Practice as they pertain to the appropriate use of technology resources, security measures, and reporting obligations.

Answer 135

A) Ability to audit a third-party supplier complying with contractual security requirements. When managing the risks associated with third-party suppliers' information security, it is important for a business to have the ability to audit the supplier's compliance with contractual security requirements. This ensures that the supplier is adhering to the agreed-upon security measures and protocols, reducing the risk of data breaches or other security incidents. By conducting audits, the business can assess the supplier's security practices and identify any potential vulnerabilities or areas for improvement. This helps in maintaining a higher level of information security within the business's supply chain.

Answer 136

D) Software Tokens. Software tokens are a type of multi-factor authentication technique that provides a combination of flexibility and low management overhead. Software tokens are typically implemented as mobile apps or software applications installed on a user's device. They generate one-time passwords (OTPs) that can be used for authentication. Compared to other options listed, such as synchronous and asynchronous hardware tokens or biometrics, software tokens offer greater flexibility as they can be easily deployed and managed without the need for physical tokens or specialized hardware. They can be installed on a wide range of devices, including smartphones and computers, making them convenient for users. Additionally, software tokens can be easily updated or revoked by the administrator, reducing management overhead. Overall, software tokens strike a balance between security and convenience, making them a suitable choice for organizations seeking multi-factor authentication with flexibility and minimal management requirements.

Answer 137

C) Decentralised access control. Decentralised access control refers to a model where access control decisions and enforcement are distributed across multiple locations or entities. In this system, each office or location has its own access control mechanisms and is responsible for managing access to its resources independently. This approach allows each office to have more control over its own access control policies and decisions, making it suitable for organizations with dispersed offices and limited connectivity between them. Decentralised access control offers flexibility because it allows local administrators or office managers to adapt access control policies to their specific needs and requirements. It does not rely heavily on centralized infrastructure or constant connectivity between offices, which can be challenging in situations with poor Internet connectivity. By implementing decentralised access control, each office can independently manage access to its resources, reducing dependence on central systems and providing greater flexibility in adapting to local conditions and requirements.

Answer 138

B) Authorization Permissions. In the context of a Linux file system, the combinations of "rwx" represent the authorization permissions associated with each file and directory. Each character in the combination represents a specific permission: - "r" stands for read permission, allowing the user to view the contents of a file or list the contents of a directory. - "w" stands for write permission, allowing the user to modify or delete a file or create, delete, or rename files within a directory. - "x" stands for execute permission, allowing the user to execute a file (if it is a program or script) or access a directory and its contents. These permissions can be assigned to three categories of users: the owner of the file, the group that the file belongs to, and others (all users not falling into the previous two categories). The combinations of "rwx" are displayed in sequence for each category, indicating the respective permissions for each. For example, "rwxr-xr--" indicates that the owner has read, write, and execute permissions, the group has read and execute permissions, and others have only read permission. By examining these permission combinations, users can determine who has what level of access to a particular file or directory and can manage access control accordingly.

Answer 139

C) Use well-remembered names or phrases from a social media profile. Using well-remembered names or phrases from a social media profile can make passwords more vulnerable to guessing or dictionary attacks. It is generally recommended to use complex and unique passwords that are not easily guessable or associated with personal information.

Answer 140

B) Media is labelled at the highest level of classification of the information it contains. Media might contain many different data objects so must be treated as its highest classification. When an organization labels its media based on the classification of the data it contains, the typical practice is to assign the label at the highest level of classification. This ensures that the media is appropriately marked with the highest level of sensitivity associated with the information it holds. By labelling at the highest level, it helps enforce access controls and security measures that are appropriate for handling and protecting the classified information.

Answer 141

C) Social Engineering. Penetration Testing: The process of evaluating the security footprint of computer systems by simulating the methods of a hacker. Social engineering is a penetration testing technique that involves manipulating individuals through psychological manipulation or deception to gain unauthorized access to information systems. In the context of security training and awareness, social engineering tests the organization's employees' ability to identify and respond appropriately to social engineering attacks, such as phishing emails, phone scams, or impersonation attempts. By simulating these attacks, an organization can assess the effectiveness of its security training programs and identify areas for improvement in employee awareness and response to potential threats.

Answer 142

A) Everyone within the organisation In preparing an organization for a potential disaster recovery situation, it is crucial that everyone within the organization receives initial business continuity training. This ensures that all employees have a basic understanding of their roles and responsibilities in the event of a disaster and are equipped with the necessary knowledge to take appropriate actions. By providing training to all employees, the organization can create a culture of preparedness and ensure that everyone has a shared understanding of the organization's disaster recovery plans and procedures. This inclusive approach helps to maximize the organization's overall readiness and response capabilities in the face of a disaster.

Answer 143

B) "Capture the Flag" competitions. "Capture the Flag" (CTF) competitions are widely recognized as a legitimate and ethical way for individuals involved in penetration testing to apply their training and skills. In CTF competitions, participants are presented with various challenges that simulate real-world security scenarios. They are tasked with identifying vulnerabilities, exploiting systems, and retrieving "flags" or pieces of information. CTF competitions provide a controlled environment where participants can practice their ethical hacking techniques and demonstrate their abilities while abiding by the law and respecting the rules set by the competition organizers.

Answer 144

D) Watching industry webinars held by a security professional body Watching industry webinars conducted by reputable security professional bodies is an effective way for professionals to stay informed about the latest technical cyber threats. These webinars are typically conducted by experts in the field and provide valuable insights, updates, and best practices related to cybersecurity. They offer reliable and up-to-date information that is relevant to the industry, making them a trusted and authoritative source for staying informed about emerging threats and security trends. On the other hand, options A, B, and C may provide some information, but they are not considered as authoritative sources for technical cyber threats. Social media posts may lack credibility and accuracy, dark web forums are often associated with illegal activities and may not provide reliable information, and internal company security awareness courses may not cover the broader industry-specific threats.

Answer 145

A) Secure coding training never finishes and always needs refreshing. Secure coding is a critical skill for application developers to ensure that their software is resilient against security vulnerabilities. However, the field of application security is constantly evolving, with new threats and attack techniques emerging regularly. Therefore, it is essential for developers to continuously update their knowledge and skills to stay current with the latest security practices. Secure coding training should be an ongoing process, and developers should regularly refresh their knowledge and stay informed about new security vulnerabilities, best practices, and mitigation techniques. This helps ensure that the applications they develop remain secure and resilient over time.

Answer 146

B) Worm. A worm is a type of malicious software that can spread across computer networks without requiring any user intervention. It is capable of replicating itself and spreading from one system to another by taking advantage of vulnerabilities in network protocols or operating systems. Unlike viruses, worms do not need to attach themselves to host files or programs to propagate. They can independently move through a network, infecting vulnerable systems and potentially causing widespread damage.

Answer 147

C) This is a phishing attack A phishing attack is a type of cyber attack where the attacker disguises themselves as a trustworthy entity in order to trick individuals into revealing sensitive information such as login credentials, financial details, or personal information. In this scenario, the suspicious email from the organization's suppliers, requesting payment of an attached invoice, is a common tactic used in phishing attacks. The goal is to deceive the accounts clerk into opening the attachment or clicking on a malicious link, which could lead to the compromise of sensitive information or the installation of malware. It is important for individuals to be cautious and verify the authenticity of such emails before taking any action to prevent falling victim to phishing attacks.

Answer 148

A) Gather intelligence from dark web malware forums Open source intelligence is derived from data and information that is available to the general public Dark web malware forums can provide valuable insights into the latest malware attacks and techniques used by cybercriminals. These forums are typically hidden and require specific tools or access to reach them. However, they can be a valuable source of information for cybersecurity professionals to gather intelligence on new virus malware attacks. In dark web malware forums, cybercriminals may share information about newly discovered vulnerabilities, exploit kits, malware variants, and techniques for evading detection. By monitoring these forums, security professionals can gain insights into emerging threats and understand the tactics used by attackers. It is important to note that accessing and participating in dark web forums may raise legal and ethical concerns. It should only be done by authorized individuals with the appropriate knowledge and permissions. Additionally, relying solely on dark web forums may not provide a comprehensive understanding of the threat landscape, and it should be complemented with other sources of information, such as security advisories, research reports, and collaboration with cybersecurity communities.

Answer 149

B) OWASP. OWASP (Open Web Application Security Project) is an organization that focuses on improving the security of web applications. They provide valuable resources, tools, and guidance for web application security. Their materials, such as the OWASP Top 10 list of web application vulnerabilities, can help security analysts understand the common attack vectors and the controls necessary to protect web servers and applications. PCIDSS (Payment Card Industry Data Security Standard) is a set of security standards specifically designed for organizations that handle payment card data. While it includes requirements for securing web applications, its scope is primarily focused on the protection of payment card information. IETF (Internet Engineering Task Force) is an organization that develops and promotes Internet standards. While they may contribute to the development of security standards and protocols, their materials may not specifically address the controls necessary for protecting web servers and applications. CSA (Cloud Security Alliance) is an organization that focuses on promoting best practices for secure cloud computing. While they may provide guidance on securing web-based applications within a cloud environment, their materials may not cover the full range of controls needed for all web servers and applications.

Answer 150

B) Reflected Input. Cross-site scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. Reflected Input refers to the situation where user-supplied input is immediately reflected back to the user without proper validation or sanitization. This can occur when input provided by a user is not properly encoded or escaped before being displayed on a web page. Attackers can exploit this vulnerability by injecting malicious code that gets executed in the context of other users' browsers, potentially leading to unauthorized actions or theft of sensitive information. Input Validation (option A) is a general security practice to ensure that user inputs meet the expected format, type, or range. While it is important for overall application security, it alone does not specifically address the vulnerability of XSS. Token Injection (option C) refers to a different type of attack where an attacker manipulates authentication tokens to gain unauthorized access. It is not directly related to XSS. Man in the Middle (option D) is a type of attack where an attacker intercepts and alters communication between two parties. Although it can be used to exploit vulnerabilities in web applications, it is not specific to XSS. Therefore, the most relevant condition that increases the vulnerability to a cross-site scripting attack is B) Reflected Input.

Answer 151

A) Use of a demilitarised zone. A demilitarised zone (DMZ) is a network segment that is positioned between an internal network and an external network, such as the internet. It acts as a buffer zone, separating the internal network from the untrusted external network. Firewalls are configured to control the traffic flow between the internal network, the DMZ, and the external network. By using a DMZ, the network is partitioned and staggered, providing an additional layer of security by limiting direct access from external networks to the internal network. This helps protect sensitive resources and data from unauthorized access and potential attacks.

Answer 152

B) IPS (Intrusion Prevention System). Explanation: When trying to block an attack on a well-known vulnerability that may have breached the outer defences of an organization's network infrastructure, an Intrusion Prevention System (IPS) is the best form of control. An IPS is a security solution that monitors network traffic in real-time and actively blocks or prevents malicious activities or attacks from occurring. It can detect and respond to known vulnerabilities and attack patterns, providing an additional layer of protection beyond traditional firewalls. By analysing network traffic and applying predefined rules or signatures, an IPS can identify and block suspicious or malicious behaviour, helping to mitigate the impact of an attack and protect the organization's network and systems.

Answer 153

D) SSH. Telnet, Rsh, and EIA232 are not recommended for secure network transmission of console traffic. Telnet is an insecure protocol that transmits data in clear text, making it susceptible to eavesdropping and unauthorized access. Rsh is also an insecure protocol that lacks encryption and authentication mechanisms. EIA232, also known as RS-232, is a serial communication standard and not specifically designed for secure network transmission. On the other hand, SSH (Secure Shell) is a widely used cryptographic network protocol that provides secure remote access to network devices. It encrypts the communication between the client and server, ensuring the confidentiality and integrity of the console traffic. SSH also supports strong authentication mechanisms, protecting against unauthorized access. Therefore, when securing network management for an organization's network infrastructure, using SSH for secure network transmission of console traffic is the recommended choice.

Answer 154

A) IPSec IPSec (Internet Protocol Security) is a widely used VPN technology that provides a secure and encrypted communication channel over an untrusted network such as the internet. It offers strong security features, including encryption and authentication, to protect the confidentiality, integrity, and authenticity of data transmitted between the remote worker's home office network and the organisation's headquarters network. TLS/SSL (Transport Layer Security/Secure Sockets Layer) is commonly used to secure web-based communications but may not be the best choice for securing the entire network transmission between the remote worker's network and the headquarters network. GRE (Generic Routing Encapsulation) is a tunnelling protocol used for encapsulating packets but does not provide encryption or strong security features on its own. RDP (Remote Desktop Protocol) is a protocol used for remote desktop access and not specifically designed for securing network transmissions between networks. Therefore, IPSec is the most appropriate VPN technology for securing the network transmission in this scenario.

Answer 155

A) Wireless LANs cannot be accessed outside of the buildings they are installed in. This statement is not valid because wireless LANs (WLANs) can be accessed beyond the physical boundaries of the buildings they are installed in. Wireless signals can extend beyond the intended coverage area, allowing unauthorized individuals to potentially connect to the WLAN from outside the buildings. To secure wireless networks, organizations should implement appropriate security measures such as strong authentication methods (e.g., WPA2-Enterprise), encryption (e.g., WPA2), and network segmentation to restrict access and protect the confidentiality and integrity of the network traffic.

Answer 156

C) Ability to remotely remove corporate applications provided by an enterprise app store BYOD - Bring your own device (BYOD) refers to the trend of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data. This control allows the organization to have control over the applications installed on the employee's devices. By utilizing an enterprise app store, the organization can remotely remove any corporate applications that may pose a security risk or violate the organization's policies. This helps in maintaining the integrity and security of the organization's data and ensures that only authorized and approved applications are used on the devices.

Answer 157

A) WAF (Web Application Firewall) A Web Application Firewall (WAF) is designed specifically to protect web applications from various types of attacks, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It operates at the application layer of the network stack and helps to filter and monitor incoming and outgoing web traffic. A WAF can detect and block malicious requests, providing an additional layer of security to web applications. It is considered one of the most effective controls for securing web servers and web applications against web-based attacks.

Answer 158

A) Use of a Web Proxy. A Web Proxy acts as an intermediary between clients and web servers, allowing it to intercept and inspect the content of web traffic. By routing the web traffic through a Web Proxy, the organization can apply security controls, such as scanning for malicious content or enforcing access policies, to ensure the security of the communication. Key Declaration Policy (B) is not directly related to inspecting web-based communication but rather pertains to the management and declaration of cryptographic keys. A VPN (C) provides a secure encrypted tunnel for communication between two endpoints but does not specifically focus on inspecting the payload of web-based communication. Packet Sniffing (D) refers to capturing and analysing network traffic at the packet level. While it can provide visibility into the content of network traffic, it is not specifically tailored for secure web-based communication inspection. Therefore, the most appropriate choice in this scenario is A) Use of a Web Proxy.

Answer 159

B) Denial of Service attacks on the call manager VOIP - Voice Over Internet Protocol Denial of Service (DoS) attacks on the call manager can disrupt or completely disable the VOIP system, rendering it unavailable for communication. These attacks overload the call manager with a high volume of malicious traffic, causing it to become unresponsive. This can result in significant disruption to the organization's communication capabilities. Protecting against DoS attacks on the call manager involves implementing robust security measures, such as traffic filtering, rate limiting, and intrusion detection systems, to detect and mitigate such attacks effectively.

Answer 160

B) SIP (Session Initiation Protocol). SIP is a commonly used protocol in VoIP systems for initiating, modifying, and terminating multimedia communication sessions. It is responsible for establishing the necessary communication channels, negotiating the supported media formats, and handling call setup and teardown processes. SIP enables the establishment of voice and video calls over IP networks and is widely adopted in VoIP systems for its versatility and compatibility with various devices and platforms. SIP - session initiation protocol ( to manage the voip call) RTP - Real time transport protocol ( to send the voice packet)

Answer 161

A) Nominative. The accepted classifications of security controls are commonly categorized as preventive, detective, and corrective. These classifications describe the different types and purposes of security controls in managing and mitigating risks. 1) Preventive controls are designed to prevent or deter security incidents from occurring. They focus on proactively implementing measures to minimize vulnerabilities and protect against potential threats. 2) Detective controls are aimed at identifying and detecting security incidents or breaches after they have occurred. These controls help in monitoring and alerting the organization about suspicious activities or anomalies. 3) Corrective controls involve taking actions to address and mitigate the impact of a security incident or breach. These controls focus on restoring normal operations, fixing vulnerabilities, and recovering from security events. The option A) Nominative is not an accepted classification of security controls. It is not commonly recognized as a standard classification in the field of information security.

Answer 162

A) Authentication, Availability, and Accounting. The AAA Triad in information security refers to three fundamental principles: Authentication, Availability, and Accounting. 1. Authentication: This involves verifying the identity of users or entities trying to access a system or resource. It ensures that only authorized individuals or systems are granted access. 2. Availability: This refers to ensuring that resources and services are accessible and usable when needed. It involves implementing measures to prevent or mitigate disruptions, downtime, or denial-of-service attacks. 3. Accounting: This involves tracking and recording activities and events related to the use of resources or access to systems. It includes monitoring and logging user actions, generating audit trails, and maintaining records for accountability and forensic purposes. These three characteristics are crucial for maintaining the security and proper functioning of information systems. By ensuring proper authentication, availability, and accounting, organizations can protect their resources, manage access effectively, and track and analyse system activities for security and compliance purposes.

Answer 163

D) Defence in depth. Redundancy: The inclusion of extra components to provide for fault tolerance in the event of failure. Defence in depth is a security concept that involves implementing multiple layers of security controls to provide redundancy and protection against security breaches. It acknowledges that no single security control is fool proof, and by employing multiple layers of defence, the organization can mitigate the impact of control failures or vulnerabilities being exploited. Each layer adds an additional barrier, making it more difficult for attackers to penetrate the system. By implementing defence in depth, organizations can increase the overall security posture and resilience of their systems. If one control fails or a vulnerability is exploited, there are still additional layers of protection in place to prevent further compromise and limit the potential damage. It is a proactive approach to security that recognizes the need for multiple safeguards to defend against sophisticated and evolving threats.

Answer 164

A) Managed security services permit organizations to absolve themselves of responsibility for security. Managed security services (MSS) can help organizations shift the responsibility of managing their security to a third-party provider. By outsourcing security to an MSS, organizations can rely on the expertise and capabilities of the service provider to handle various security tasks, such as monitoring, threat detection, incident response, and vulnerability management. By engaging an MSS, organizations can offload the burden of maintaining an in-house security team and infrastructure. The MSS assumes the responsibility for implementing and managing security controls, staying updated with the latest threats and vulnerabilities, and ensuring compliance with security standards and regulations. This allows organizations to focus on their core business operations while benefiting from the specialized knowledge and resources of the MSS. However, it's important to note that even with the use of managed security services, organizations still retain some level of responsibility for their overall security posture and should actively collaborate with the service provider to ensure effective security measures are in place.

Answer 165

D) Don't touch any evidence until a senior digital investigator arrives. When preserving a crime scene for digital evidence, it is important for first responders to exercise caution and not disturb any potential evidence until a senior digital investigator arrives. Digital evidence is highly sensitive and can be easily tampered with or destroyed, so it is crucial to follow proper procedures and protocols. Waiting for a senior digital investigator ensures that an experienced professional with specialized knowledge in handling digital evidence is present to guide the process. They will have the expertise to properly collect, document, and analyse the evidence without compromising its integrity. Touching or handling the evidence without appropriate training and guidance may lead to contamination or the unintentional alteration of crucial evidence. Therefore, it is essential to wait for a senior digital investigator before taking any further actions.

Answer 166

B) Formal certification to ISO/IEC 27001 and alignment with ISO 17025. Formal certification to ISO/IEC 27001 is important as it demonstrates that the service provider has implemented a comprehensive information security management system. This certification ensures that the provider has established appropriate controls to protect the confidentiality, integrity, and availability of digital evidence. Alignment with ISO 17025, the standard for testing and calibration laboratories, is also valuable. It ensures that the service provider follows internationally recognized guidelines for quality assurance in forensic analysis. Considering these attributes helps ensure that the chosen service provider has the necessary qualifications, competence, and commitment to perform digital forensics services effectively and maintain the integrity of the evidence throughout the process.

Answer 167

B) Unshielded cabling. Unshielded cabling refers to network cables that do not have additional shielding to protect against electromagnetic interference (EMI). These cables are more susceptible to emitting electromagnetic signals, including unintentional or "false" emanations, which can mask the presence of true electromagnetic emanations from genuine computing equipment. By using unshielded cabling, the electromagnetic emissions from computing equipment can mix with the emissions from the cables, making it difficult to distinguish the true emanations from the equipment. This can potentially confuse or mislead individuals who are attempting to detect or intercept the electromagnetic signals. Unshielded cabling can be used as a physical security control in scenarios where it is desirable to mask the true emanations of computing equipment. However, it is important to note that this technique has limitations and may not provide a foolproof solution. Additionally, the use of unshielded cabling can introduce other security risks, such as increased vulnerability to eavesdropping or signal interference.

Answer 168

D) RSA RSA (Rivest-Shamir-Adleman) is an example of an asymmetric encryption algorithm. Unlike symmetric encryption algorithms such as DES (Data Encryption Standard) and AES (Advanced Encryption Standard), which use the same key for both encryption and decryption, RSA employs a pair of keys: a public key for encryption and a private key for decryption. This characteristic of RSA allows for secure communication between two parties without the need to share a common secret key. Other Asymmetric encryption algorithms Include: ECC - Elliptic Curve Cryptography ElGamal Diffie Hellman - A key exchange algorithm Symmetric encryption algorithms Include: DES - Data Encryption Standard 3DES - Triple DES AES - Advanced Encryption Standard RC5 - Rivest Cipher 5

Answer 169

A. Packet Sniffing. Packet sniffing is an attack technique where an attacker intercepts and captures network traffic, allowing them to view and analyze the contents of the packets being transmitted over the network. In the case of an unencrypted VoIP network, packet sniffing can directly compromise the confidentiality of the communication. By capturing and analyzing the voice packets, an attacker can potentially listen to the conversations and gather sensitive information. Brute force attacks involve systematically trying all possible combinations of passwords or encryption keys until the correct one is found. While a successful brute force attack could potentially compromise the confidentiality of an encrypted VoIP network, it is not directly applicable to an unencrypted network. Ransomware is a type of malware that encrypts files on a victim's system and demands a ransom for their decryption. While ransomware attacks can have severe consequences for data confidentiality, they do not specifically target VoIP networks. Vishing (voice phishing) is a social engineering attack where an attacker attempts to deceive individuals over the phone to obtain sensitive information. While vishing attacks can impact the confidentiality of the information shared during a VoIP call, they are not specific to the network itself.

Answer 170

C. Secure Sockets Layer (SSL). SSL was developed by Netscape in the mid-1990s as a protocol to provide secure communication over the internet. It was widely used for securing network connections, particularly in web browsers and web servers. Later, TLS was introduced as an upgraded version of SSL to address some of its security vulnerabilities and limitations. TLS builds upon the foundation of SSL and includes improvements and additional features to enhance security and cryptographic capabilities. Today, TLS is the more commonly used protocol for securing internet communication, including HTTPS, which is the secure version of HTTP.

Answer 171

A. Whaling. Whaling, also known as whale phishing, is a specific form of phishing that targets high-level executives or senior individuals in organizations. The term "whaling" is derived from the concept of targeting the "big fish" or high-value targets. Attackers use personalized and sophisticated techniques to deceive and manipulate these individuals into divulging sensitive information, making unauthorized transactions, or taking other actions that can lead to financial loss or compromise of the organization's security. Spear-phishing is another term used to describe targeted phishing attacks that focus on specific individuals or groups. However, whaling specifically refers to the targeting of senior individuals in an organization. C-suite spamming and trawling are not commonly used terms in the context of targeted attacks on senior individuals in organizations.

Answer 172

D. Turning on SSID broadcasts to advertise security levels. Turning on SSID broadcasts to advertise security levels. SSID (Service Set Identifier) is the name of a wireless network. By default, wireless access points broadcast their SSIDs to make it easier for devices to discover and connect to the network. However, hiding the SSID by disabling the broadcast is often recommended as a security measure. It makes the network less visible to unauthorized devices and potential attackers. The other options listed are generally considered best practices: Using WPA (Wi-Fi Protected Access) encryption on the wireless network is essential for securing the communication between devices and the access point. Using MAC (Media Access Control) filtering on a small office/home office (SOHO) network can provide an additional layer of security by allowing only specific devices with approved MAC addresses to connect. Dedicating an access point on a dedicated VLAN (Virtual Local Area Network) connected to a firewall helps isolate and protect the wireless network traffic from other parts of the network. It's worth noting that while hiding the SSID can add a layer of obscurity, it is not a fool proof security measure on its own. Other security measures such as strong encryption, authentication methods, and regular firmware updates should also be implemented to ensure a robust wireless network security posture.

Answer 173

Injection Flaws. Injection Flaws: Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query, leading to unintended execution of malicious commands. This includes SQL injection, NoSQL injection, OS command injection, and others. Security Misconfiguration: Security misconfiguration refers to insecure configurations of web applications, frameworks, servers, or other components. It can include default or weak configurations, unnecessary features or services enabled, missing security patches, and more. Cross-Site Scripting (XSS): XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. This can lead to unauthorized actions, data theft, or session hijacking. Broken Authentication: Broken authentication vulnerabilities involve weaknesses in authentication and session management mechanisms. This includes issues like weak password policies, session fixation attacks, insecure session storage, and more. Sensitive Data Exposure: Sensitive data exposure occurs when sensitive information, such as passwords, credit card details, or personal data, is not properly protected. This can result from insufficient encryption, insecure storage, or inadequate access controls. While poor password management and insecure deserialization are important security concerns, they are not included in the current OWASP Top 10 list of the most prevalent web application vulnerabilities. The OWASP Top 10 is regularly updated to reflect the changing landscape of web application security risks.

Answer 174

C. The software has been designed from its inception to be secure.

Answer 175

D. CSRF - (Cross-Site Request Forgery). CSRF is an attack that takes advantage of the trust relationship between a user's browser and a website. In a CSRF attack, an attacker tricks a victim into unknowingly submitting a malicious request to a website they are authenticated with. The request is usually sent to a third-party website that the victim has visited or is tricked into visiting. The attack works because many websites rely solely on the user's authentication credentials (such as cookies) to determine the validity of a request, without additional checks to ensure the request originated from the same site. Since the victim's browser automatically includes the necessary authentication credentials, the request appears legitimate to the targeted website. The attacker can exploit this trust relationship to perform malicious actions on behalf of the victim, such as changing account settings, making unauthorized transactions, or accessing sensitive information. To prevent CSRF attacks, websites typically implement countermeasures such as adding anti-CSRF tokens to each request, requiring additional confirmation for sensitive actions, and ensuring requests originate from the same site through referer validation or same-origin policies. Other options mentioned in the question: XSS (Cross-Site Scripting) is a different type of attack that involves injecting malicious scripts into web pages viewed by other users. Parameter Tampering refers to modifying the parameters of a request to manipulate the intended behavior of an application. SQL Injection is an attack where an attacker inserts malicious SQL code into a query to manipulate or extract data from a database.

Answer 176

D. Undertaking vishing attacks. Vishing (voice phishing) attacks involve using telephone calls or voice messages to deceive individuals into divulging sensitive information or performing certain actions. While vishing attacks are a common tactic employed by attackers, they typically do not involve leveraging botnets. On the other hand, the other options mentioned in the question are common ways in which attackers leverage botnets: A. Generating and distributing spam messages: Botnets can be used to send out massive volumes of spam emails, often promoting scams, phishing attempts, or malware distribution. B. Conducting DDoS attacks: Botnets can be harnessed to launch Distributed Denial of Service (DDoS) attacks, overwhelming a target system or network with a flood of traffic and rendering it inaccessible to legitimate users. C. Scanning for system & application vulnerabilities: Botnets can be used to automate the scanning of networks and systems for known vulnerabilities, allowing attackers to identify potential targets for exploitation. By controlling a network of compromised computers (botnet), attackers can carry out these malicious activities at scale, making it harder to trace back to their original source.

Answer 177

D) SMTPS. SMTPS (Simple Mail Transfer Protocol Secure) is the protocol that enables secure communication between email servers. It adds a layer of encryption to the standard SMTP protocol, ensuring that the email transmission is protected from unauthorized access or interception. By using SMTPS, the email data is encrypted, providing confidentiality and integrity during transmission. This helps prevent eavesdropping and tampering with sensitive email content, making it an effective control for protecting secure email exchange.

Answer 178

A. Customer's security team In IaaS, all virtual infrastructure components including security are the responsibility of the customer.

Answer 179

A) Data could be stored in any geographic destination One of the major considerations when storing data in a cloud environment is that it can be stored in various geographic locations depending on the cloud service provider. Unlike conventional on-premises data storage, where the physical location of the data is known and controlled by the organization, cloud storage allows for data to be distributed across multiple data centres or regions. This flexibility can bring benefits in terms of scalability, redundancy, and accessibility but also raises concerns about data privacy, regulatory compliance, and jurisdictional issues. Organizations must carefully consider the potential implications of data storage in different geographic destinations when adopting cloud services.

Answer 180

B) Reduces the complexity of desktops as only a browser is needed. When adopting Software as a Service (SaaS) cloud environments, the client desktops can benefit from improved security. By leveraging SaaS applications, the complexity of desktop environments can be reduced as users primarily require a web browser to access the applications. This means that organizations can focus their security efforts on securing the browser and the connection to the cloud environment, rather than managing and securing multiple applications and components on individual desktops. By reducing the attack surface and simplifying the desktop environment, it becomes easier to implement and maintain security controls, leading to improved overall security for the organization's client desktop environments.

Answer 181

A) Termination of service by cloud service provider. When organizations adopt a cloud service, they rely on the cloud service provider to deliver the service consistently and reliably. However, the termination of service by the cloud service provider poses a significant risk. If the provider suddenly terminates the service, it can disrupt the organization's operations, result in loss of data, and create a need for rapid migration to an alternative provider. This risk highlights the importance of considering the contractual agreements and service level agreements with the cloud service provider to ensure continuity and mitigation of such risks.

Answer 182

C) As Cloud computing is entirely on-premise, all vulnerabilities associated with Internet applications are associated with the local hardware. Option C is not a valid statement because it states that Cloud computing is entirely on-premise and all vulnerabilities associated with Internet applications are associated with the local hardware. This statement is incorrect as Cloud computing involves the use of remote servers and resources accessed over the internet, and it is not limited to on-premise infrastructure. Cloud computing introduces its own set of security considerations and vulnerabilities, which may be different from those associated with traditional on-premise environments. Options A, B, and D are valid statements regarding the technical controls necessary for cloud computing. Option A discusses the use of proxy and brokerage services to separate clients from direct access to shared cloud storage, which can enhance security and access control. Option B highlights the increased attack surface of distributed applications in comparison to LAN environments. Option D points out the security risk associated with the hypervisor, which is a key component of virtualization in cloud computing environments.

Answer 183

B) SIEM (Security Information and Event Management). SIEM (Security Information and Event Management) systems provide a centralized event logging capability that allows security operations teams to collect, monitor, and analyze security events and incidents across an organization's infrastructure. SIEM solutions aggregate logs and data from various sources, such as network devices, servers, applications, and security devices, and provide real-time analysis and correlation of events. By utilizing a SIEM system, security operations teams can have a comprehensive view of all security events and incidents, enabling them to detect and respond to potential threats in a timely manner. SIEM systems also provide features like log management, threat intelligence, and reporting, which further enhance an organization's ability to monitor and manage its security posture.

Answer 184

B. Threat categorisation. The acronym STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service & Elevation of Privilege) is particularly useful in the threat categorisation phase of a threat modelling process. It helps in identifying and categorizing different types of threats or attacks that can target a system or application. By considering each aspect of STRIDE, security professionals can systematically analyse the potential threats and their impact on the system's security. This categorization aids in understanding the specific risks and vulnerabilities associated with the system, enabling the development of appropriate security controls and countermeasures.

Answer 185

A) Access Control List Access Control Lists (ACLs) are used as a security mechanism to enforce authorization in various systems. An ACL is a list of permissions associated with an object, such as a file, folder, or resource. It specifies which users or groups have access rights and what operations they can perform on the object. By using ACLs, organizations can control and manage access to their resources, ensuring that only authorized individuals or entities are granted permissions.

Answer 186

D) Using security baselines. Creating benchmarks from the collected list of security controls is an example of using security baselines. Security baselines are standardized sets of security configurations and controls that are considered best practices for specific systems or environments. By establishing security baselines, organizations can define a minimum level of security requirements and ensure that their systems are configured consistently and in line with industry standards. These baselines help in maintaining a secure posture across various areas such as operating systems, server software, and network devices, providing a foundation for effective security management and reducing the risk of vulnerabilities and attacks.

Answer 187

A) Keep multiple copies of the backup media To mitigate the risk of data loss, organizations should implement robust backup practices such as keeping multiple copies of the backup media (Option A). This ensures that even if one copy is lost or becomes inaccessible, there are additional copies available for data recovery. Best practice is always to have multiple copies of backup media stored in different locations.

Answer 188

B) CCTV and motion detectors CCTV (Closed-circuit television) systems provide visual surveillance through video cameras, allowing real-time monitoring and recording of activities within the facility. Motion detectors can detect movement or unauthorized access in restricted areas and trigger alerts. Together, CCTV and motion detectors offer effective monitoring and evidence collection capabilities, enabling remote security management and timely response to any suspicious or unauthorized activities. This combination provides a robust physical security measure to ensure the safety and integrity of the data center environment.

Answer 189

A) Locate only in areas regularly patrolled by security staff Security staff might never visit an area where a wiring closet is based or it may be impractical to locate a wiring closet in main access areas.

Answer 190

C) Ensuring the device is crushed and reduced to small particles. When disposing of IT equipment, especially those with data retention capabilities, it is crucial to ensure that no data remains on the device to prevent unauthorized access or data breaches. While options such as multiple data wipes and removing the hard drive may provide some level of data erasure, they still carry a risk of potential data recovery. However, physically crushing the device and reducing it to small particles effectively destroys the storage media, making data recovery virtually impossible. This control provides a higher level of assurance that sensitive data is securely erased before disposal.

Answer 191

D) Use of a diamond shredder before managed disposal takes place Using a diamond shredder, which is a high-security shredding device capable of producing extremely small paper particles, ensures that the confidential information is thoroughly destroyed. This significantly reduces the risk of sensitive data being reconstructed or accessed by unauthorized individuals. After shredding, the managed disposal of the shredded material should be carried out in a secure manner to maintain the confidentiality of the information.

Answer 192

A) RFID RFID (Radio Frequency Identification) technology uses radio waves to identify and track objects. It consists of tags that are attached to the components or goods and readers that can wirelessly communicate with the tags. RFID provides a secure and efficient way to track items throughout the supply chain, allowing for real-time visibility and monitoring. It offers advantages over other options such as barcodes as RFID tags can be read without line-of-sight, can store more information, and enable automated tracking and data capture.

Answer 193

C) Implementing a RAID system RAID (Redundant Array of Independent Disks) is a technology that provides fault tolerance and data redundancy. Implementing a RAID system can help protect against data loss and ensure that critical data remains accessible even if one or more disks fail. Business continuity plans detail what steps should be taken to keep business going in advance of an event happening rather than recovering from a disaster. Hence implementing RAID means business carries on even if part of a storage systems fails.

Answer 194

A) Cold site A cold site is an alternative data processing facility that provides essential infrastructure such as HVAC (Heating, Ventilation, and Air Conditioning), power, and communications infrastructure, but does not have any computing hardware in place. In the event of a disaster, the organization would need to install and configure their own computing hardware at the cold site to resume operations. Cold sites are typically less expensive than warm or hot sites but require longer recovery times as they lack pre-configured computing equipment.

Answer 195

B. 1 and 2 1. Within a secure cloud storage service 2. Offsite within a firesafe Within a secure cloud storage service: Storing backup data in a secure cloud storage service ensures that the data is protected from physical disasters and provides the advantage of offsite storage. Cloud storage services often offer robust security measures and redundancy to safeguard the data. Offsite within a firesafe: Storing backup data offsite within a firesafe adds an extra layer of protection against physical disasters, such as fire or water damage. Firesafes are designed to withstand high temperatures and provide a secure environment for storing important documents or data.

Answer 196

E. All of the Above All of these scenarios are disasters, natural or manmade.

Answer 197

D. Simulation test A Simulation test involves simulating a disaster scenario without actually disrupting the live facility. It allows the organisation to assess the effectiveness of their disaster recovery plan by going through the motions of responding to a simulated disaster event. This can include activities such as role-playing, tabletop exercises, or using specialized software tools to simulate the disaster and evaluate the response. By conducting a Simulation test, the organisation can identify any weaknesses or gaps in their disaster recovery plan and make necessary adjustments without impacting the live facility. It provides an opportunity to train and educate the disaster recovery team, test communication channels and procedures, and ensure the plan is robust and effective.

Answer 198

B. Chain of custody. When handling digital evidence, maintaining a clear and documented chain of custody is crucial. The chain of custody refers to the chronological documentation of the possession, control, transfer, and analysis of the evidence. It ensures that the integrity and authenticity of the evidence are preserved, and it establishes a clear trail of who had access to the evidence at all times. Adhering to a proper chain of custody helps maintain the admissibility and reliability of the digital evidence in legal proceedings and ensures accountability and trustworthiness in the handling of the evidence.

Answer 199

1,2 and 4 All points apart from 3 apply as civilians can undertake forensic investigations under the control of a senior investigating law enforcement officer.

Answer 200

A) Open Source Intelligence. Open Source Intelligence (OSINT) refers to the collection and analysis of information from publicly available sources. It is a technique used by law enforcement and commercial organizations to gather data and insights from the Internet, Deep web, and the Dark Web. OSINT involves accessing and analyzing information from sources such as social media platforms, websites, forums, blogs, news articles, and more. By leveraging OSINT, organizations can gather valuable threat intelligence, identify potential risks, and understand the tactics, techniques, and procedures employed by threat actors. It helps in assessing the security posture, identifying vulnerabilities, and making informed decisions regarding cybersecurity and risk mitigation strategies. OSINT is a vital tool for gathering information and staying updated on emerging threats in the digital landscape.

Answer 201

A) Non-repudiation Non-repudiation is the attribute of cryptography that ensures the sender of a message cannot deny having sent it. In the given scenario, Alice wants to provide evidence to a third party, Fred, that the message received originated from Bob and cannot be repudiated by him. Non-repudiation mechanisms, such as digital signatures, can be used to provide proof of the message's origin and integrity, making it difficult for the sender to deny their involvement. This attribute helps establish trust and accountability in communication transactions.

Answer 202

C) Shared secret key to decrypt the message. In symmetric cryptography, the same secret key is used for both encryption and decryption. Since Valerie encrypted the message using symmetric cryptography, she would have used a shared secret key that Betty must also possess in order to decrypt the message successfully. Using Betty's or Valerie's public key (options A and B) would not be suitable for symmetric encryption. Valerie's private key (option D) is not used for message decryption in symmetric cryptography.

Answer 203

1. The company has a zero-day vulnerability. 2. The company was compromised by a zero-day exploit. When a vulnerability exists but there is no patch to fix it, it is a zero-day vulnerability. When exploit code exists to take advantage of a zero-day vulnerability, it is called a zero-day exploit. In this scenario, because the computer was up to date on patches, we can conclude that there was a zero-day vulnerability and a zero-day exploit.

Answer 204

2. Quality of service Quality of service provides priority service to a specified application or type of communication. In this scenario, call quality is being impacted by other services on the network. By prioritizing the network communication for the IP phones, you can maximize their performance (though that might impact something else).

Answer 205

4. Parallel The first key requirement in this scenario is that the data centre must not be impacted by the testing. This eliminates the partial interruption and full interruption tests because those impact the data centre. The other key requirement is that IT teams must perform recovery steps. This requirement eliminates the tabletop testing because tabletop testing involves walking through the plans, but not performing recovery operations.

Answer 206

B. Deterrent Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework. There are three other primary control frameworks. A preventative framework helps establish security policies and security awareness training. A detective framework is focused on finding unauthorized activity in your environment after a security incident. A corrective framework focuses on activities to get your environment back after a security incident. There isn’t an assessment framework.

Answer 207

B. Quantitative You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk. STRIDE is used for threat modelling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modelling.

Answer 208

B. Recovery point objective (RPO) The RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover), the RPO establishes the maximum data loss that is tolerable, the MTD covers the maximum tolerable downtime, and MDT is just a made-up phrase used as a distraction. In this scenario, with the focus on the data loss, the correct answer is RPO.

Answer 209

B. Layer 3 In this scenario, the information indicates that the issue is with the routing of the network communication. Routing occurs at Layer 3 of the OSI model. Layer 3 is typically handled by a router or the routing component of a network device. 7. Application Layer The application layer is used by end-user software such as web browsers and email clients. It provides protocols that allow software to send and receive information and present meaningful data to users. A few examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS). 6. Presentation Layer The presentation layer prepares data for the application layer. It defines how two devices should encode, encrypt, and compress data so it is received correctly on the other end. The presentation layer takes any data transmitted by the application layer and prepares it for transmission over the session layer. 5. Session Layer The session layer creates communication channels, called sessions, between devices. It is responsible for opening sessions, ensuring they remain open and functional while data is being transferred, and closing them when communication ends. The session layer can also set checkpoints during a data transfer—if the session is interrupted, devices can resume data transfer from the last checkpoint. 4. Transport Layer The transport layer takes data transferred in the session layer and breaks it into “segments” on the transmitting end. It is responsible for reassembling the segments on the receiving end, turning it back into data that can be used by the session layer. The transport layer carries out flow control, sending data at a rate that matches the connection speed of the receiving device, and error control, checking if data was received incorrectly and if not, requesting it again. 3. Network Layer The network layer has two main functions. One is breaking up segments into network packets, and reassembling the packets on the receiving end. The other is routing packets by discovering the best path across a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route packets to a destination node. 2. Data Link Layer The data link layer establishes and terminates a connection between two physically-connected nodes on a network. It breaks up packets into frames and sends them from source to destination. This layer is composed of two parts—Logical Link Control (LLC), which identifies network protocols, performs error checking and synchronizes frames, and Media Access Control (MAC) which uses MAC addresses to connect devices and define permissions to transmit and receive data. 1. Physical Layer The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible for transmission of the raw data, which is simply a series of 0s and 1s, while taking care of bit rate control.

Answer 210

B. Collision avoidance In this scenario, collision avoidance is used. Wireless networks use collision avoidance specifically to address the issue described in the scenario (which is known as the “hidden node problem”).

Answer 211

E. SIP SIP is a communications protocol used for multimedia communication such as internal voice calls. In this scenario, you need to capture SIP traffic to ensure that you are only capturing traffic related to the phone calls. SIP - Session Initiation Protocol is a signalling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. VoIP - Voice over Internet Protocol is a type of phone system that uses an internet connection to make and receive calls, rather than traditional landlines. E.G. Skype, discord, WhatsApp, Teams.

Answer 212

B Risk Appetite. Risk Appetite: The amount of risk a business is prepared to accept in pursuit of its mission. This level will be below the risk capacity. Risk Capacity: The risk capacity of a business is the maximum amount of risk the business could absorb without its viability being affected. This is a level we do not go anywhere near if possible. Risk Acceptance: This is the lowest level, being the amount of risk the business will accept on a daily basis after risk treatments have been applied. Controls have reduced to an economically feasible level, and the business accepts what remains. Risk Tolerance: This is a level that sits between the risk acceptance level and the risk appetite. Risk tolerance is the variation in risk that a business may accept when there is a particular target to be reached. Risk tolerance is where the business may go beyond the risk appetite in the short term, call it wiggle room.

Answer 213

A) Improved resilience against and recovery time from a harmful incident. Implementing appropriate information security measures helps an organization enhance its ability to withstand and recover from harmful incidents such as security breaches, cyberattacks, natural disasters, or operational disruptions. By having robust security controls, incident response plans, and business continuity strategies in place, the organization can minimize the impact of such incidents, reduce downtime, and ensure a quicker recovery, thus improving its overall resilience. This benefit is crucial for maintaining the continuity of operations and minimizing potential financial, operational, and reputational damages.

Answer 214

D. Accidental. The threats of human error, malfunctions, fire, and flood are classified as accidental threats. These threats are typically unintentional and can arise due to mistakes, system failures, natural disasters, or accidents. While they may have significant consequences for an organization's operations and security, they are not caused by malicious intent or external factors. It is important for organizations to consider these accidental threats in their risk assessments and implement appropriate preventive measures and mitigation strategies to minimize their impact.

Answer 215

C. Ransomware. Ransomware is a form of malicious software that encrypts a victim's files or locks their computer until a ransom is paid. It is a deliberate threat because it is intentionally designed to cause harm and extort money from the victim.

Answer 216

B. Open Source Intelligence (OSINT). Open Source Intelligence refers to the collection and analysis of information that is publicly available from various sources, such as websites, social media, news articles, and other publicly accessible information. It is an important technique used in information security to gather insights and intelligence about potential threats, vulnerabilities, and risks.

Answer 217

A. Avoidance. Avoidance is a strategic option for dealing with information risk. It involves taking actions to eliminate or minimize the risk by avoiding the activities or situations that could lead to the risk. In the context of information risk, avoidance may include avoiding the use of certain technologies or practices that pose a high level of risk, or avoiding engagement with certain types of data or activities that could expose the organization to potential risks. By avoiding the risk altogether, organizations can reduce their exposure and potential impact of adverse events.

Answer 218

D. Determine the classification programme objectives The first step in setting out an information classification strategy is to determine the classification program objectives. By determining the classification program objectives, you establish the goals and desired outcomes of the classification process. This step helps define the purpose of the classification, such as protecting sensitive information, ensuring regulatory compliance, or facilitating data sharing. Once the objectives are clear, you can proceed with identifying relevant information, developing classification labels and policies, and assigning ownership and responsibilities.

Answer 219

C. A specification for an Information Security Management System. ISO/IEC 27001 is an internationally recognized standard that provides a systematic approach to managing information security within an organization. It sets out the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard provides a comprehensive framework for managing the security of information assets, including risk management processes, control implementation, and ongoing monitoring and evaluation. It is widely used to guide organizations in implementing effective information security practices and ensuring the confidentiality, integrity, and availability of their information assets.

Answer 220

A. Intellectual Property. Intellectual property refers to the creations of the mind, such as inventions, literary and artistic works, symbols, names, images, and designs, for which exclusive rights are recognized. These exclusive rights enable individuals or organizations to benefit from their creative or intellectual endeavours by granting them the authority to control and protect their creations. Intellectual property rights include patents, copyrights, trademarks, and trade secrets, providing legal protection and incentives for innovation, creativity, and economic growth.

Answer 221

D. Preventing an individual from having sole responsibility for payments. By implementing segregation of duties, critical tasks and responsibilities are divided among multiple individuals. In the context of financial transactions and payments, no single individual has complete control over the entire process, including initiation, authorization, and recording of transactions. This prevents any one person from having the ability to carry out fraudulent or unauthorized actions without detection. Segregation of duties introduces checks and balances, ensuring that there is independent oversight and review of financial activities. It reduces the risk of fraud, errors, and unauthorized transactions by requiring the involvement of multiple individuals and ensuring accountability and transparency in the process.

Answer 222

A. ISO/IEC 27017. ISO/IEC 27017 is a standard specifically focused on providing guidance and implementing information security controls within the context of cloud computing. It provides additional controls and guidance to be used in conjunction with ISO/IEC 27002, which is a broader standard for information security management systems. ISO/IEC 27017 addresses the unique risks and considerations associated with cloud-based services, helping organizations establish and maintain effective security measures to protect their information assets in cloud environments. It covers areas such as cloud-specific risks, cloud service management, and the relationship between cloud service providers and customers.

Answer 223

B. Infrastructure-as-a-Service. IaaS provides virtualized computing resources such as virtual machines, storage, and networks, allowing users to manage and control their own operating systems and applications. With IaaS, the responsibility for managing and securing the underlying infrastructure lies with the cloud service provider, while the users have more control over the applications and data they deploy on the infrastructure. In contrast, services such as Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) involve higher levels of abstraction and may include pre-built software applications or development platforms. This can introduce potential legal issues related to Intellectual Property Rights (IPR), such as licensing agreements, copyright infringements, or unauthorized use of proprietary software or intellectual property. However, it's important to note that while IaaS may be less likely to directly cause legal problems relating to IPR, the responsibility for ensuring compliance with IPR laws still lies with the user or customer who deploys their applications and data on the infrastructure. It's always advisable to carefully review and adhere to the terms and conditions of the cloud service provider and any applicable licensing agreements to avoid any potential legal issues.

Answer 224

C. Focus on management of contracts rather than technology. In a traditional IT management setup, the focus is primarily on owning and managing the infrastructure, hardware, and software internally. IT support staff are responsible for maintaining and supporting the infrastructure and ensuring its availability and security. When transitioning to a cloud-based approach, organizations rely on external cloud service providers for infrastructure, platforms, or software services. This shift requires a change in mindset from managing technology internally to managing contracts and relationships with the cloud service providers. Organizations need to focus on selecting the right cloud service providers, negotiating and managing contracts, and ensuring compliance with service-level agreements (SLAs) and security requirements. While some aspects of IT support may still be necessary in a cloud-based approach, the responsibilities and tasks of IT support staff may change. Instead of managing and maintaining physical infrastructure, the focus may shift towards monitoring service performance, incident management, and ensuring the effective utilization of cloud resources. It's important to note that the other options mentioned in the question are not the core change required when moving to a cloud-based approach. Redeployment or removal of current IT support staff (option A) is not necessarily required, as their roles may evolve rather than being eliminated. Dismantling of all physical security controls (option B) is not accurate, as security considerations are still important in a cloud environment. Immediate certification to ISO/IEC 27001 (option D) is not a core change but rather a potential step for demonstrating compliance with information security standards in the cloud environment

Answer 225

A. CMDB (Configuration Management Database). A CMDB is a central repository that contains information about all the configuration items (CIs) in an organization's IT infrastructure. This includes hardware, software, networks, and other IT assets. The CMDB helps in managing and tracking the configuration items throughout their lifecycle, including details about their attributes, relationships, and dependencies. As part of managing information security, organizations maintain a list of information assets within their CMDB. This list includes all the important information assets that need to be protected, such as databases, servers, applications, network devices, and sensitive data repositories. It provides a comprehensive view of the organization's information assets and helps in identifying and managing security risks associated with those assets. The other options mentioned in the question are not typically associated with maintaining a list of information assets within an organization: ISMS (Option B) refers to an Information Security Management System, which is a framework of policies, procedures, and controls for managing information security within an organization. While an ISMS may include asset management as one of its components, it does not specifically provide a list of information assets. BCDR (Option C) stands for Business Continuity and Disaster Recovery, which focuses on planning and preparedness for managing disruptions and recovering from disasters. While it may involve identifying critical information assets, it does not provide a comprehensive list of all information assets within an organization. CISO (Option D) refers to the Chief Information Security Officer, who is responsible for overseeing the organization's information security program. While a CISO may be involved in asset management, the role itself does not provide a specific list of information assets.

Answer 226

B. Onion skin. The concept of onion skin security is derived from the layers of an onion, where each layer provides an additional level of protection. In the context of information security, onion skin security refers to the practice of implementing multiple layers of physical security controls to create a comprehensive and robust defense mechanism. Each layer in the onion skin security model represents a different security control, such as access controls, surveillance systems, intrusion detection systems, alarms, locks, and barriers. By combining these layers, organizations create a defense-in-depth strategy, making it more challenging for unauthorized individuals to breach the security perimeter and gain access to sensitive information assets. The term "thermal layering" (Option A) is not commonly used in the context of information security and does not specifically describe the use of multiple physical security controls. "Security through obscurity" (Option C) refers to the practice of relying on secrecy or the lack of public knowledge about the security measures in place. It is generally considered a weak security approach and should not be solely relied upon. "Asset dispersal" (Option D) typically refers to the practice of distributing or spreading out information assets across different locations to mitigate the risk of a single point of failure. While it is a valid strategy for reducing risk, it does not specifically refer to the use of multiple physical security controls.

Answer 227

C. Armoured cable. Armoured cable, also known as armoured fibre cable or armoured Ethernet cable, is a type of cable that is designed with additional protection to enhance its durability and resistance to physical damage. It typically consists of a metallic armour layer, such as steel, that provides a barrier around the internal wires or fibres. In the context of protecting information in transit, using armoured cable can help safeguard the transmission of data across physically unprotected environments. The armour layer adds an extra level of protection, making the cable more resistant to impacts, crushing, cuts, and other physical hazards that could potentially disrupt or compromise the transmission of information. Options A, B, and D (Coaxial cable, Cat 5 Ethernet, and Twisted pair) are all types of cables commonly used for data transmission, but they do not provide the same level of physical protection as armoured cable. While they may have their own benefits and characteristics suitable for specific environments, they may not be as effective in physically unprotected environments where the risk of damage or interference is higher. Therefore, when the transmission of information needs to traverse a physically unprotected environment, using armoured cable is a recommended countermeasure to ensure the integrity and reliability of the data being transmitted.

Answer 228

D. ISO 22301. ISO 22301, titled "Security and resilience – Business continuity management systems – Requirements," provides a framework and set of requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving a business continuity management system (BCMS). It helps organizations prepare for, respond to, and recover from disruptive incidents that may cause interruptions to their normal operations. ISO 22301 outlines the key components and best practices for effective business continuity management, including risk assessment, business impact analysis, development of business continuity plans and strategies, communication and coordination during disruptions, and regular testing and exercising of the BCMS. It provides a systematic approach to identifying and managing risks, ensuring the availability of critical resources, and minimizing the impact of disruptions on the organization's ability to deliver its products or services. While the other options mentioned, such as COBIT, ISO/IEC 27001, and NIST SP 800-53, are also important standards in the field of information security and governance, they are not specifically focused on business continuity management like ISO 22301. COBIT provides a framework for IT governance and management, ISO/IEC 27001 focuses on information security management systems, and NIST SP 800-53 provides security and privacy controls for federal information systems in the United States. Therefore, when it comes to business continuity, ISO 22301 is the international standard that organizations can refer to for guidance on establishing and maintaining effective business continuity management systems.

Answer 229

A. Business continuity is about ensuring an organisation continues to operate during a disruptive event, while disaster recovery is the process of resolving the disruption itself. Business continuity and disaster recovery are related concepts but have distinct purposes. Business continuity refers to the proactive planning and preparations that an organization undertakes to ensure its critical functions and operations can continue during and after a disruptive event. It involves identifying potential risks, developing strategies to mitigate those risks, and implementing measures to ensure the continuity of essential services. Business continuity aims to minimize downtime, maintain customer service, and protect the organization's reputation and revenue streams. Disaster recovery, on the other hand, is the reactive process of recovering and restoring the organization's IT infrastructure, systems, and data after a disruptive event has occurred. It involves executing predefined recovery plans, restoring backups, rebuilding systems, and ensuring that the organization can resume normal operations as quickly as possible. Disaster recovery focuses on the technical aspects of recovering from the disruption, such as restoring IT systems, networks, and data. While business continuity encompasses a broader scope and includes proactive planning to ensure business operations can continue, disaster recovery specifically deals with the reactive measures to recover from a disruption and restore normal operations. Option B is incorrect because although the terms are related, they are not interchangeable. Options C and D are incorrect because they do not accurately describe the differences between business continuity and disaster recovery. Therefore, option A is the most accurate description of the difference between business continuity and disaster recovery.

Answer 230

B. The core purpose of a PKI (Public Key Infrastructure) is to facilitate the secure electronic transfer of information for a range of network activities. A PKI is a system of hardware, software, policies, and procedures that enable the creation, distribution, management, and revocation of digital certificates and public-private key pairs. It provides a framework for secure communication and authentication over networks. PKI plays a crucial role in ensuring the confidentiality, integrity, and authenticity of data transferred over networks. It achieves this by using asymmetric encryption, where each user has a pair of cryptographic keys: a public key and a private key. The public key is widely distributed and used for encryption, while the private key is kept secret and used for decryption. The core purpose of a PKI is to establish trust and enable secure communication by verifying the authenticity of digital certificates and facilitating the encryption and decryption of data. It enables activities such as secure email communication, digital signatures, secure web browsing, and other network transactions. Option A is incorrect because while encryption is one of the functions enabled by a PKI, its core purpose extends beyond encrypting large databases. Option C is incorrect because although PKI can contribute to national security, its primary purpose is not limited to that. Option D is incorrect because while PKI can be used to protect intellectual property rights, its core purpose extends beyond organizations in the government and defense sectors. Therefore, option B best describes the core purpose of a PKI.

Answer 231

C. 12 A MAC address consists of 12 hexadecimal characters. It is made up of 6 groups of 2 hexadecimal characters each, separated by colons or hyphens. Each hexadecimal character represents 4 bits, resulting in a total of 48 bits for a MAC address.

Answer 232

C) A hardware address assigned to a network interface controller A MAC address, or Media Access Control address, is a unique identifier assigned to a network interface controller (NIC) of a network device. It is a hardware address that is embedded into the network interface card and used to uniquely identify devices on a local network. MAC addresses are used at the data link layer of the OSI model.

Answer 233

B) A vulnerability that allows an attacker to execute malicious scripts in a user's web browser. Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when a web application does not properly sanitize user input, allowing an attacker to inject malicious scripts into web pages viewed by other users. These scripts can be used to steal sensitive information, such as login credentials or session cookies, or to perform other malicious actions on the user's behalf. XSS attacks typically target websites that allow user-generated content or fail to properly validate and sanitize input data.

Answer 234

C) Injection of malicious code into the website. Cross-Site Scripting (XSS) attacks involve injecting malicious code into a website, which can then be executed by unsuspecting users in their web browsers. This injected code can be used to steal sensitive information, such as login credentials or personal data, redirect users to malicious websites, or perform other unauthorized actions on the user's behalf. By injecting and executing malicious code, attackers can exploit the trust and privileges of the affected website to achieve their malicious objectives.

Answer 235

B) The risk that remains after implementing risk mitigation measures. Residual risk refers to the level of risk that remains after implementing risk mitigation measures or controls. Risk mitigation measures are implemented to reduce the likelihood or impact of identified risks. However, even with these measures in place, there may still be some level of risk that remains. This residual risk represents the remaining exposure that an organization has to potential threats and vulnerabilities. It is important to assess and manage residual risk to ensure that any remaining risks are within acceptable tolerance levels and that appropriate actions are taken to mitigate or manage them effectively.

Answer 236

B) A discussion-based exercise involving key stakeholders to assess the plan's viability. In the context of a business continuity plan, a tabletop exercise is typically a scenario-based discussion involving key stakeholders. It is designed to evaluate the plan's effectiveness, identify potential gaps or weaknesses, and assess the organization's preparedness for various disruptive events. During a tabletop exercise, participants discuss their roles and responsibilities, explore decision-making processes, and evaluate the plan's viability in a simulated environment. This exercise helps improve coordination, communication, and decision-making capabilities without the need for a full-scale, real-time incident.

Answer 237

B. cost-effective decisions are made with regard to which assets need protection An information security risk analysis helps an organization in making cost-effective decisions regarding which assets need protection the most. Risk analysis involves identifying and assessing potential risks and vulnerabilities, estimating the likelihood and impact of those risks, and prioritizing them based on their significance to the organization. By conducting a risk analysis, an organization can allocate its resources and investments more effectively, focusing on areas that pose the greatest threats and require the most attention. It enables the organization to prioritize security measures and implement appropriate controls to mitigate the identified risks.

Answer 238

D. requirements of local regulations take precedence. In a multinational organization, local security regulations should be implemented over global security policy because the requirements of local regulations take precedence. Each country or region may have its own specific laws, regulations, and compliance requirements regarding information security. These local regulations must be followed to ensure legal compliance and avoid penalties or legal issues. While global security policies provide a framework for overall security management, they may not cover all the specific requirements of each local jurisdiction. Therefore, it is important to prioritize and implement local security regulations to meet the specific legal and regulatory obligations of each region where the organization operates.

Answer 239

B. conduct a risk assessment. To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST conduct a risk assessment. A risk assessment helps identify and evaluate the potential risks and vulnerabilities associated with the new regulatory requirement. It involves assessing the likelihood and potential impact of non-compliance, identifying existing controls that may already address the requirement, and determining any gaps that need to be addressed. By conducting a risk assessment, the information security manager can prioritize and plan the necessary actions to ensure compliance and mitigate any potential risks associated with the new regulatory requirement. Conducting a risk assessment provides a solid foundation for making informed decisions and taking appropriate actions to align information security controls with the regulatory requirements.

Answer 240

D. Risk management When management changes the enterprise business strategy, it is important to evaluate the existing information security controls and select new ones based on the changes in the business environment and associated risks. Risk management is the process of identifying, assessing, and managing risks to achieve business objectives. It involves evaluating the potential impacts and likelihood of risks, and then implementing appropriate controls to mitigate or manage those risks. By utilizing risk management, an organization can assess the effectiveness of existing information security controls in light of the new business strategy. It allows for the identification of any gaps or weaknesses in the current controls and provides a framework for selecting and implementing new controls that align with the revised business strategy. Risk management ensures that security measures are appropriately updated to address the evolving risks and support the organization's objectives. While access control management (option A), change management (option B), and configuration management (option C) are important processes in information security, they are not specifically focused on evaluating and selecting controls in response to changes in the enterprise business strategy. Risk management is the most relevant process in this context.

Answer 241

D. Establish incentives and a channel for staff to report risks. (Incentives - a thing that motivates or encourages someone to do something. E.G. Extra Paid holiday, etc) Building a risk-aware culture within an organization requires not only effective communication of threats (option B), but also establishing mechanisms that encourage and support employees to report risks they observe. By establishing incentives and a channel for staff to report risks (option D), organizations can foster a culture where employees are actively engaged in identifying and reporting potential risks. This helps in early detection and mitigation of risks, contributing to improved overall security posture. Periodically changing risk awareness messages (option A) can be a good practice to keep security awareness fresh, but it alone does not address the fundamental aspect of employees actively reporting risks. Option C, periodically testing compliance with security controls and posting results, is important for assessing the effectiveness of controls but does not specifically focus on building a risk-aware culture. While all the options may contribute to different aspects of managing risk and security awareness, option D is the most direct and comprehensive approach for building a risk-aware culture by encouraging employees to report risks and ensuring they have the means to do so.

Answer 242

C. Create an addendum to the existing contract. (Addendum - is an item of additional material added at the end of a book or document, typically in order to correct, clarify, or supplement something.) Creating an addendum to the existing contract (option C) allows the information security manager to address the issue by specifically identifying and including the necessary requirements for safeguarding the organization's critical data. This ensures that the expectations for data protection are clearly defined and agreed upon by both parties. Cancelling the outsourcing contract (option A) may be an extreme measure and should only be considered if the issue cannot be resolved through other means. Transferring the risk to the provider (option B) without clearly specifying the requirements may not provide adequate protection for the organization's critical data. Initiating an external audit of the provider's data centre (option D) can be a good practice for assessing the provider's security controls, but it does not directly address the issue of lacking requirements in the contract. Therefore, the most appropriate and practical recommendation in this scenario would be to create an addendum to the existing contract (option C) to ensure that the organization's critical data is adequately safeguarded

Answer 243

A. Controls to be monitored Before implementing a SIEM tool, it is crucial to identify and define the controls that need to be monitored within the organization's environment. This involves understanding the specific security requirements, regulatory compliance obligations, and the types of events and activities that should be monitored for potential security incidents. By clearly identifying the controls to be monitored, the organization can align the SIEM tool's capabilities and configuration to effectively detect and respond to security events. While the other options are also important considerations, they are secondary to determining the controls to be monitored. Reporting capabilities (option B) are valuable for analyzing and presenting security event data, but without a clear understanding of the controls, the reports may not be relevant or effective. The contract with the SIEM vendor (option C) is important for establishing the terms and conditions of the tool's implementation, but it can be addressed once the controls to be monitored are defined. Available technical support (option D) is essential for ongoing maintenance and troubleshooting, but it should be considered after the controls and requirements are determined. Therefore, the primary focus should be on identifying the controls to be monitored (option A) as the most important consideration before implementing a SIEM tool.

Answer 244

A. Definitions of responsibilities An enterprise security policy serves as a high-level document that outlines the organization's approach to information security and sets the direction for security-related activities. It typically includes various components, such as guidelines, standards, procedures, and controls. Among these components, defining responsibilities is a crucial aspect of ensuring effective security management. By clearly defining responsibilities, the enterprise security policy outlines the roles and accountabilities of individuals or groups within the organization regarding information security. This includes specifying who is responsible for implementing security measures, enforcing policies, and handling security incidents. Defining responsibilities helps establish a clear understanding of the expectations and obligations of each stakeholder, promoting a coordinated and consistent approach to security throughout the organization. While retention schedules (option B), system access specifications (option C), and organizational risk (option D) are all relevant aspects of information security, they are more likely to be addressed in other supporting documents, such as data retention policies, access control policies, and risk management frameworks. These specific details may be referenced or incorporated into the enterprise security policy, but they are not typically the primary focus of the policy itself. Therefore, the item most likely to be included in an enterprise security policy is A. Definitions of responsibilities.

Answer 245

D. Assess the consequences of noncompliance against the cost of remediation. This step involves evaluating the potential risks and impacts of noncompliance with the regulatory requirement and comparing them to the cost of remediating the legacy application. By conducting a thorough assessment, the information security manager can gain a clear understanding of the potential consequences the organization may face if it continues to operate the noncompliant application. Assessing the consequences of noncompliance allows the information security manager to make an informed decision based on a risk-based approach. It provides insights into the potential legal, financial, reputational, and operational risks associated with noncompliance. The manager can then weigh these risks against the cost of remediating the application and determine the most appropriate course of action. While developing a business case for funding remediation efforts (option A) is important, it should be done after assessing the consequences of noncompliance. This assessment helps provide the necessary information and justification to present a compelling business case for securing the budget needed to address the compliance issue. Advising senior management to accept the risk of noncompliance (option B) is not recommended as it may expose the organization to significant liabilities and potential penalties. It is essential to assess the risks and explore options for mitigating them rather than accepting noncompliance as a viable solution. Notifying legal and internal audit (option C) is an important step but should be done after assessing the consequences of noncompliance. Involving legal and audit functions can help gain further guidance and support in addressing the compliance issue effectively. Therefore, the FIRST step an information security manager should take in this scenario is to assess the consequences of noncompliance against the cost of remediation (option D).

Answer 246

C. Ensure security is involved in the procurement process. Most Voted By involving security in the procurement process, the organization can proactively address security concerns and ensure that security requirements are considered from the beginning. This allows security professionals to provide input, review and evaluate the third-party vendor's security capabilities, and make informed recommendations to mitigate potential risks. When security is involved in the procurement process, they can collaborate with the legal department (option A) to review and negotiate the contract terms related to security. This ensures that the contract includes appropriate clauses and provisions to protect the organization's security interests. Communicating security policy with the third-party vendor (option B) is important, but it alone may not provide sufficient assurance or address specific security concerns during contract negotiations. While it is necessary to establish a common understanding of security expectations, involving security in the procurement process goes beyond mere communication and allows for a more comprehensive evaluation and alignment of security requirements. Conducting an information security audit on the third-party vendor (option D) is a valuable step, but it typically occurs after the contract is in place. An audit can provide assurance regarding the vendor's security controls and practices, but it may not be feasible or practical during contract negotiations. Involving security in the procurement process allows for security considerations to be addressed before the contract is finalized, minimizing potential risks and enhancing the organization's security posture. Therefore, ensuring security is involved in the procurement process (option C) is the MOST effective way to address an organization's security concerns during contract negotiations with a third party.

Answer 247

B. Encrypt consumer data in transit and at rest Encrypting consumer data in transit and at rest provides a strong level of protection for the private information of consumers. This means that the data is securely encoded and can only be accessed by authorized parties with the appropriate decryption keys. By encrypting data in transit, the information is safeguarded as it is transmitted over networks, preventing unauthorized interception and eavesdropping. This is typically achieved by using secure communication protocols such as HTTPS, which encrypts the data during transmission. Encrypting data at rest ensures that even if the data is stored or archived on servers or databases, it remains protected from unauthorized access. This involves encrypting the data using encryption algorithms and storing it in an encrypted format. Access to the encrypted data is only granted to authorized individuals who possess the decryption keys. While applying strong authentication to online accounts (option A) is important for verifying the identity of users, it does not directly address the protection of consumer private information. Authentication focuses on user access control, while data encryption focuses on data protection. Using a secure encrypted transport layer (option C) is closely related to encrypting data in transit, as it refers to employing secure communication protocols to safeguard the data during transmission. This overlaps with option B and can be considered as part of the broader approach to encrypting consumer data. Applying a masking policy to the consumer data (option D) involves hiding or obfuscating sensitive information within the data, often by replacing it with placeholder characters. While data masking can be a useful technique for certain scenarios, it may not provide the same level of protection as data encryption. Masking alone may not be sufficient to prevent unauthorized access to consumer private information. Therefore, the BEST method to protect consumer private information for an online public website is to encrypt consumer data in transit and at rest (option B). This comprehensive approach ensures that the data remains secure both during transmission and while stored, providing a robust safeguard against unauthorized access.

Answer 248

B. The ability to centrally manage devices Centrally managing devices in a BYOD program allows the organization to have control and oversight over the devices used by employees. This includes implementing security policies, enforcing data protection measures, and monitoring device usage to ensure compliance with company standards. By having the ability to centrally manage devices, the organization can: Enforce security policies: The organization can configure security settings, such as device encryption, strong passwords, and screen lock requirements, to protect company data. This helps prevent unauthorized access to sensitive information in the event of a device loss. Remotely wipe or lock devices: In case of a lost or stolen device, the organization can remotely wipe or lock the device to prevent unauthorized access to company data. This feature is crucial in mitigating the risk of data breaches or unauthorized disclosure. Implement application management: With centralized device management, the organization can restrict the use of unapproved or risky applications on employee devices. This helps maintain the integrity of company data and reduces the risk of malicious software or unauthorized access. While the ability to remotely locate devices (option A) can be helpful in certain situations, such as tracking a lost or stolen device, it does not provide the same level of data protection as the ability to centrally manage devices. Locating a device does not prevent unauthorized access to company data if the device falls into the wrong hands. Restricting unapproved applications (option C) is an important security measure, but it is only one aspect of device management. Without centralized management, it can be challenging to enforce application restrictions and ensure compliance across a diverse range of employee devices. The ability to classify types of devices (option D) can be useful for categorizing devices based on their security capabilities or risk levels. However, it is not the most crucial consideration for protecting company data in the event of a loss. Centralized device management takes precedence as it enables comprehensive control and protection measures across all supported devices. Therefore, in a BYOD program, the MOST important consideration to protect company data in the event of a loss is the ability to centrally manage devices (option B). This provides the organization with the necessary control and security measures to safeguard company data, enforce policies, and respond effectively to device loss or theft.

Answer 249

B. appropriate service level agreements (SLAs) are in place. Service level agreements (SLAs) are contractual agreements between the organization and the cloud service provider that define the agreed-upon levels of service, performance, and security. By having well-defined SLAs in place, the organization can establish expectations for risk monitoring and timely response from the cloud service provider. Here's why option B is the correct choice: Risk monitoring: SLAs should include provisions for regular risk monitoring by the cloud service provider. This ensures that potential security risks and vulnerabilities are identified and addressed promptly. The SLA should outline the specific risk monitoring activities, frequency, and reporting mechanisms to keep the organization informed about the security status of the cloud services. Timely response: SLAs should also include provisions for timely response in case of security incidents or breaches. This includes defined response times, escalation procedures, and communication protocols to ensure that the cloud service provider responds promptly and effectively to any security issues that arise. Accountability and liability: SLAs define the responsibilities and liabilities of both the organization and the cloud service provider. This ensures that the cloud service provider is accountable for the security of the services they provide and that appropriate measures are in place to mitigate risks. It also establishes the consequences if the provider fails to meet the agreed-upon security requirements. While options A, C, and D (availability of continuous technical support, inclusion of a right-to-audit clause, and presence of internal security standards) are all important considerations in managing risk in the context of cloud services, they do not directly address the specific concern of risk monitoring and timely response. SLAs are specifically designed to define expectations, responsibilities, and accountability between the organization and the cloud service provider, making them the BEST way to address the concern of risk monitoring and timely response.

Answer 250

D. Cross-Site Scripting XSS involves the insertion of malicious code into a website's web application, which is then executed within the browsers of other clients who visit the infected website. The stolen cookies, hijacked sessions, and malware execution mentioned in the scenario are common outcomes of XSS attacks.

Answer 251

B. Enabling. Enabling refers to the function of specifying user access rights/privileges to computing resources. It involves defining and configuring the permissions and privileges granted to users or user groups, allowing them to access specific resources or perform certain actions within a computing environment. By properly enabling user access rights, organizations can ensure that users have appropriate and authorized access to the resources they need, while maintaining security and preventing unauthorized access.

Answer 252

B. Restrictions on the transmission of symmetric and/or asymmetric keys over communication networks. This is not a factor that needs to be considered when transferring encrypted information or cryptography-based tools between legal jurisdictions according to the ISO/IEC 27000 series.

Answer 253

C. Digital signatures are legal unless there is a statutory requirement that predates the digital age. Digital signatures are generally considered legally valid and enforceable, but there may be specific statutory requirements or regulations in certain countries or industries that govern their use. These requirements could include specific rules regarding the use of digital signatures, certification authorities, key management, or other aspects of the digital signature process. Therefore, digital signatures are typically legal unless there is a pre-existing statutory requirement or regulation that specifically prohibits or restricts their use. It is important to consider the applicable laws and regulations in each jurisdiction when using digital signatures to ensure compliance.

Answer 254

D. 1, 3 and 5. Authentication: Verifying the identity of users or entities to ensure that they are who they claim to be. Accounting: Tracking and recording the activities and events related to the use of resources and access to systems. Authorization: Granting or restricting access to resources based on the authenticated identity and associated permissions. These three characteristics are crucial for maintaining the security and proper functioning of information systems. By ensuring proper authentication, availability, and accounting, organizations can protect their resources, manage access effectively, and track and analyse system activities for security and compliance purposes.

Answer 255

C. ISO 22301 ISO 22301 (option C) is the standard that deals with the implementation of business continuity. ISO 22301 is an international standard for business continuity management systems (BCMS) that provides guidance and requirements for organizations to establish, implement, maintain, and improve their business continuity capabilities. It outlines a systematic approach to identifying potential threats, assessing their impact, and developing and implementing strategies to ensure business continuity in the face of disruptions. ISO/IEC 27001 (option A) is a standard for information security management systems (ISMS) and focuses on protecting information assets. While it includes some requirements related to business continuity, it is not specifically dedicated to business continuity management. COBIT (option B) is a framework for IT governance and management, which includes aspects related to risk management and control objectives. While it may touch on elements of business continuity, it is not primarily focused on its implementation. BS5750 (option D) is an outdated British Standard for quality management systems and does not specifically address business continuity. It has been superseded by the ISO 9000 series.

Answer 256

A: Online retailer. Among the given options, an online retailer would be considered the most at risk from the theft of electronic-based credit card data. Online retailers typically handle a large volume of credit card transactions, and they store and process customer payment information digitally. This makes them an attractive target for cybercriminals who seek to steal credit card data for fraudulent purposes. Unlike traditional market traders, mail delivery businesses, or agricultural producers, online retailers have a direct involvement in electronic transactions and store sensitive customer data. They are more likely to have systems and databases that store credit card information, making them vulnerable to data breaches if proper security measures are not in place. It's important for online retailers to implement robust security measures, including secure payment gateways, encryption of customer data, regular security audits, and compliance with industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), to mitigate the risk of credit card data theft.

Answer 257

A: Appointment of a Chief Information Security Officer (CISO). To improve the security culture within an organization with a top-down approach, the appointment of a Chief Information Security Officer (CISO) at the board level is the most effective action. A CISO is a senior executive responsible for overseeing the organization's information security program. By having a dedicated CISO in a board-level position, the organization demonstrates a strong commitment to security and establishes a clear chain of accountability for cybersecurity. The CISO can provide leadership, strategic guidance, and direction for implementing effective security practices throughout the organization. They can collaborate with other senior executives, advise the board on security-related matters, and ensure that security considerations are integrated into business decisions and operations. While actions like purchasing personal firewalls for senior executives, adopting a "clear desk" policy, or developing a security awareness e-learning course can contribute to enhancing security culture, appointing a CISO has a broader and more significant impact on establishing a strong security posture and driving a culture of security awareness and responsibility throughout the organization.

Answer 258

C: Police could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system. The development of specific legislation in most European countries to permit police and security services to monitor communications traffic for specific purposes, such as the detection of crime, is primarily driven by the need to establish lawful authority for such interceptions. Prior to the enactment of these laws, police could intercept communications without lawful authority, which raised concerns about privacy rights and the potential for abuse. By implementing specific legislation, countries aim to strike a balance between protecting individual privacy rights and enabling law enforcement agencies to carry out their duties effectively. These laws establish clear guidelines and procedures for lawful interception, ensuring that privacy is respected while allowing authorities to gather necessary evidence and prevent or investigate criminal activities. Options A, B, and D are not the primary reasons for the development of specific legislation for monitoring communications traffic in most European countries. Option A mentions the European Convention of Human Rights, which recognizes the interference with the right to privacy in the interception of telecommunications but does not explain why specific legislation was developed. Option B mentions GDPR, which focuses on data protection and privacy rights but is not directly related to the interception of communications. Option D refers to the previous illegality of surveillance based on the 1950 version of the Human Rights Convention, which is not the primary reason for the development of specific legislation.

Answer 259

C: Review of the risk assessment with executive management for final input In case of disagreement between the information security manager and the business department manager regarding the evaluation of risks and identified risks, involving executive management can help in resolving the issue. Reviewing the risk assessment with executive management allows for their input and perspective on the matter. This helps in achieving a balanced and informed decision that takes into account both the security concerns of the information security manager and the business objectives of the organization.

Answer 260

C: Time server A time server helps ensure that all devices on a network are synchronized with accurate time. By having consistent and accurate timestamps on log entries from different devices, it becomes easier to correlate events and identify the sequence of actions leading to a security breach. Time synchronization is crucial for accurate analysis and investigation of security incidents.

Answer 261

b) Governance Governance is concerned with policy and direction, providing the framework and rules that guide the organization's activities and ensure alignment with business goals and compliance with regulations.

Answer 262

(A)Minimize the number of entrances By reducing the number of entrances, the potential points of vulnerability and unauthorized access are limited, enhancing overall security. Thank you for pointing out the mistake.

Answer 263

(D) It blinds the approaching intruder’s view of the scene. By positioning projection lighting at the same height as the barbed wire topping of a fence, it creates a glare or bright light that obstructs the view of anyone attempting to climb over the fence. This makes it more difficult for intruders to assess the scene or identify potential obstacles or security measures.

Answer 264

(A) guidelines and practices of security controls ISO 27002 provides guidance on information security management and serves as a comprehensive set of controls and best practices for organizations to implement in order to protect their information assets. It covers various aspects of information security, including risk management, access control, incident management, and compliance.

Answer 265

(C) Cold site A cold site is a backup processing alternative that provides a computing facility with minimal data and resources. It typically includes telecommunications equipment and some systems but lacks up-to-date or synchronized data. Organizations would need to restore their data and systems in the event of a disaster or disruption when using a cold site.

Answer 266

(A) document recovery specialists. When important documents have been soaked in water during fire suppression efforts, they are typically restored by document recovery specialists. These specialists have the expertise and equipment to handle water-damaged documents, assess the extent of the damage, and employ appropriate techniques to salvage and restore the documents. This may involve drying, cleaning, and dehumidifying the documents to prevent further damage and restore them as much as possible to their original condition. Human Resources personnel, document library personnel, and fire department specialists may not possess the specialized knowledge and resources required for effective document restoration in such situations.

Answer 267

(D) Owner In a discretionary access control (DAC) mode, the delegation authority to grant access to information lies with the owner of the information. The owner has the discretion to determine who can access their information and can delegate access control decisions to other individuals or roles within the organization.

Answer 268

(B) European Union Principles The European Union has developed comprehensive privacy regulations known as the General Data Protection Regulation (GDPR), which sets out principles and requirements for the protection of personal data within the European Union. These principles are specific to privacy and govern the handling, processing, and transfer of personal data.

Answer 269

(A) Spoofing Spoofing attacks involve an attacker impersonating a legitimate entity or device to gain unauthorized access to a network or system. By implementing authentication measures, such as username and password verification or multi-factor authentication, the system can verify the identity of the entities attempting to access it and prevent spoofing attacks.

Answer 270

A. Phishing Phishing involves sending deceptive emails or messages to individuals, impersonating reputable organizations or individuals, with the goal of tricking them into revealing sensitive information such as passwords, credit card numbers, or personal details.

Answer 271

C. Vishing Vishing is a form of social engineering where attackers make phone calls to individuals, posing as legitimate entities such as banks or government agencies, in order to trick them into revealing sensitive information or performing certain actions.

Answer 272

C. Shoulder surfing Shoulder surfing is a form of visual eavesdropping where an attacker observes or "surfs" the target's actions, such as typing passwords or accessing sensitive information, by looking over their shoulder. This technique is used to gather confidential information without the target's knowledge or consent.

Answer 273

C. Whaling Whaling attacks are specifically aimed at senior executives, high-ranking officials, or individuals in prominent positions within an organization. The goal is to deceive and trick them into revealing sensitive information or performing actions that could compromise the organization's security. These attacks often employ sophisticated techniques and personalized messages to increase their effectiveness.

Answer 274

C. Gaining unauthorized access to restricted areas by following another person. In physical security, tailgating occurs when an individual without proper authorization follows closely behind an authorized person to gain entry to a secure area. The unauthorized person takes advantage of the authorized person's access rights and proximity to bypass security measures such as access control systems or identification checks. This is a security vulnerability as it compromises the integrity of restricted areas and can lead to unauthorized individuals entering sensitive or secure locations.

Answer 275

B. Impersonation Impersonation involves pretending to be someone else in order to deceive individuals and gain their trust or access to sensitive information. In the context of social engineering, impersonation can involve assuming the identity of a trusted individual or a representative of a legitimate organization to manipulate victims into revealing personal or confidential information. This information can then be used for identity theft purposes, such as accessing financial accounts or committing fraud.

Answer 276

True Dumpster diving is a practice in which individuals search through trash or discarded materials in order to find valuable or sensitive information. In the context of computer security, dumpster diving specifically refers to searching through trash for documents or materials containing sensitive data that can be used for malicious purposes, such as social engineering attacks. In the given statement, it is mentioned that shredding or incinerating documents before disposal can make dumpster diving less effective and mitigate the risk of social engineering attacks. This statement is true because by destroying the documents, the sensitive information they contain becomes unreadable and unusable, reducing the likelihood of it being exploited by individuals with malicious intent. Proper disposal methods, such as shredding or incineration, are recommended security practices to prevent unauthorized access to sensitive information.

Answer 277

True The term "Evil twin" refers to a rogue Wireless Access Point (WAP) that is maliciously set up to deceive users. It mimics a legitimate access point by advertising the same Service Set Identifier (SSID) and tricks connecting hosts into believing it is a trusted network. The purpose of an evil twin is typically to eavesdrop on network traffic or steal sensitive user data.

Answer 278

B. Malware Malware refers to harmful programs or software that are designed to disrupt computer operations, gather sensitive information, or gain unauthorized access to computer systems. It is a broad term that encompasses various types of malicious software, including viruses, worms, Trojans, spyware, adware, and ransomware. Malware can cause damage to computer systems, compromise data security, and invade user privacy. It is important to have effective security measures in place to prevent and detect malware infections.

Answer 279

True A Trojan horse is a type of malware that disguises itself as a legitimate program but contains hidden malicious code. It tricks users into installing or running it, often by appearing as a useful or harmless application. Once installed, the Trojan horse can perform various harmful actions without the user's knowledge or consent. The term "Trojan horse" refers to the Greek myth where a giant wooden horse was used to deceive and infiltrate the city of Troy. Similarly, a Trojan horse malware deceives users to gain unauthorized access or perform malicious activities on their systems.

Answer 280

A. Rootkit A rootkit is a collection of software tools that are designed to conceal the presence of an intruder or malicious activity on a computer or computer network. It is typically used by hackers to gain unauthorized administrator-level access to a system and maintain control over it without being detected. Rootkits are often installed through exploit techniques and once installed, they can modify or replace operating system components to hide their presence and provide backdoor access for the attacker. Rootkits can be very difficult to detect and remove, making them a potent tool for cybercriminals.

Answer 281

D. Defence in depth. (Data redundancy refers to the practice of keeping data in two or more places within a database or data storage system.) Defence in depth is a security concept that involves implementing multiple layers of security controls to provide redundancy and mitigate the impact of security control failures or vulnerabilities being exploited. By having multiple layers of protection, if one control fails or is bypassed, other controls can still provide protection and prevent or minimize the impact of a security incident. It is a proactive approach to security that aims to provide comprehensive and layered protection for systems and data.

Answer 282

D. Spyware Spyware is a type of malicious software that is designed to collect information about users without their knowledge or consent. It is typically installed on a computer or device without the user's awareness and operates in the background, collecting data such as browsing habits, keystrokes, passwords, and personal information. The collected data is often sent to remote servers or used for unauthorized purposes, such as identity theft or targeted advertising. Spyware can be spread through various means, including malicious email attachments, infected websites, or bundled with other software. Its presence can compromise user privacy and security, making it important to have robust anti-spyware measures in place.

Answer 283

A. Polymorphic Polymorphic viruses are a type of malware that can change their code or appearance to evade detection by antivirus software. They use various techniques such as encryption, obfuscation, and code mutation to alter their structure while maintaining their functionality. This ability to change their form makes it challenging for traditional signature-based antivirus programs to identify and block them effectively. Polymorphic viruses are designed to be highly adaptable and can generate multiple variations of themselves, making it difficult for security software to keep up with their constantly evolving nature.

Answer 284

C. application, transport, network, internet, network interface The layers in the TCP/IP model, ordered from highest to lowest, are as follows: Application layer: This layer includes protocols and services that enable communication between applications running on different devices, such as HTTP, FTP, SMTP, and DNS. Transport layer: This layer is responsible for the reliable delivery of data between hosts and includes protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Network layer: Also known as the Internet layer, this layer handles the routing of data packets across different networks. It includes the IP (Internet Protocol) protocol. Internet layer: This layer defines the format of IP packets and the logical addressing scheme used to identify devices on a network. It includes protocols such as IPv4 and IPv6. Network interface layer: This layer is responsible for the physical transmission of data packets over a network and includes protocols and technologies specific to the network interface, such as Ethernet, Wi-Fi, and Bluetooth.

Answer 285

D. datalink The layer of the OSI (Open Systems Interconnection) model that converts IP (Internet Protocol) addresses to MAC (Media Access Control) addresses is the datalink layer. The datalink layer is responsible for providing the means to transfer data between adjacent network nodes and is divided into two sublayers: the LLC (Logical Link Control) sublayer and the MAC (Media Access Control) sublayer. The MAC sublayer is specifically responsible for addressing and accessing the physical media, including the conversion of logical addresses (such as IP addresses) to physical addresses (such as MAC addresses) for transmission over the network.

Answer 286

D. kernel, device drivers, applications The rings of security, from innermost to outermost, typically refer to the security rings in the context of operating systems and system architecture. The most common representation of these rings is: Kernel or Ring 0: This is the innermost ring where the core operating system components and critical system processes reside. It has the highest level of privilege and controls access to hardware resources. Device Drivers or Ring 1/2: This ring includes device drivers and other low-level system components that interact with hardware devices. It has elevated privileges compared to user-level processes but lower privileges than the kernel. Applications or Ring 3: This is the outermost ring where user-level applications and processes run. It has the least privilege and limited access to system resources. Most user applications operate in this ring.

Answer 287

C. Fraggle In a Fraggle attack, the attacker sends a large number of User Datagram Protocol (UDP) packets with a spoofed source IP address to a network's broadcast address. These UDP packets are typically sent to the destination port used by the ICMP Echo service (ping). As a result, the ICMP reply from the target system is flooded back to the victim, overwhelming its network connection and causing a denial-of-service (DoS) condition. This type of attack is similar to the Smurf attack, but instead of using ICMP Echo packets, Fraggle attacks utilize UDP packets to generate excessive traffic and disrupt the target network.

Answer 288

A. retrovirus A retrovirus is a specific type of virus that has the ability to attack and modify the antivirus software itself. It can alter the code or functionality of the antivirus program, making it ineffective in detecting and removing the retrovirus. Retroviruses are designed to evade detection by security measures and can be particularly challenging to remove from an infected system.

Answer 289

C. measure, create, analyse, identify The stages of developing a Business Continuity Plan (BCP) ordered from last to first are as follows: 1. Identify: Identify critical business functions, processes, and resources that need to be protected and prioritize them based on their importance and impact on the organization. 2. Analyze: Conduct a risk assessment and business impact analysis to assess potential risks and vulnerabilities that could disrupt the identified critical functions. This involves evaluating the likelihood and potential impact of various threats. 3. Create: Develop strategies and plans for mitigating risks and addressing potential disruptions. This includes developing recovery strategies, defining incident response procedures, and establishing communication and coordination protocols. 4. Measure: Implement measures to monitor and measure the effectiveness of the BCP. This includes regularly reviewing and testing the plan to identify areas for improvement and ensure its ongoing relevance and effectiveness.

Answer 290

B. Cryptominer Cryptominers are a type of malware that utilize the computing resources of a compromised system to mine cryptocurrency without the owner's consent or knowledge. This malicious software can significantly impact system performance and can be challenging to detect as it operates in the background.

Answer 291

E. OS reinstallation OS reinstallation is a drastic measure that can effectively remove malware, but it is time-consuming and should be considered as a last resort.

Answer 292

B. PKI (Public Key Infrastructure) PKI is a hierarchical system that provides a framework for issuing, managing, and verifying digital certificates. It involves a Certificate Authority (CA) that acts as a trusted third party, issuing digital certificates to entities such as individuals, organizations, or devices, and ensuring the integrity and authenticity of those certificates. PKI plays a crucial role in establishing secure communication and enabling features like encryption, authentication, and digital signatures.

Answer 293

C. CA (Certificate Authority) A Certificate Authority is a trusted third party responsible for issuing digital certificates used for creating digital signatures and public-private key pairs. The CA verifies the identity of the certificate holder and digitally signs the certificate to ensure its authenticity and integrity. The digital certificates issued by a CA play a crucial role in establishing secure communication and enabling various security features in applications and systems.

Answer 294

A. Accepting requests for digital certificates C. Authenticating the entity making the request A. Accepting requests for digital certificates: The Registration Authority (RA) plays a role in accepting requests for digital certificates from individuals or entities. The RA acts as an intermediary between the certificate requester and the Certificate Authority (CA) by receiving and verifying the certificate requests. C. Authenticating the entity making the request: The RA is responsible for authenticating the identity of the entity making the certificate request. The RA verifies the identity of the requester and ensures that they meet the necessary criteria to obtain a digital certificate.

Answer 295

B. CRL (Certificate Revocation List) C. OCSP (Online Certificate Status Protocol). CRL (Certificate Revocation List): A CRL is a list of digital certificates that have been revoked by the Certificate Authority (CA) before their expiration date. It contains information about revoked certificates such as their serial numbers and the date of revocation. By checking the CRL, one can determine if a particular digital certificate is still valid or has been revoked. OCSP (Online Certificate Status Protocol): OCSP is a protocol used to obtain the real-time status of a digital certificate. It allows a client to send a request to the CA or an OCSP responder to check if a specific certificate is still valid or has been revoked. The response received from the OCSP responder contains information about the certificate's status, such as "good," "revoked," or "unknown."

Answer 296

C. OCSP (Online Certificate Status Protocol) OCSP allows for real-time checking of the revocation status of a digital certificate. When a client needs to verify the validity of a certificate, it sends a request to the OCSP responder, which is typically operated by the Certificate Authority (CA) or a trusted third party. The OCSP responder then responds with the current status of the certificate, such as "good," "revoked," or "unknown." Compared to CRL (Certificate Revocation List), which is a static list that needs to be downloaded and regularly updated, OCSP provides a more efficient and timely method for checking the validity of a digital certificate. With OCSP, the client can directly query the OCSP responder to obtain the certificate's status without the need to download and process a large list of revoked certificates. Key escrow and CSR (Certificate Signing Request) are not directly related to checking the validity of a certificate. Key escrow involves storing cryptographic keys with a trusted third party, while CSR is a file used to request a digital certificate. They do not provide a means for quickly checking the validity of a certificate.

Answer 297

B. CSR (Certificate Signing Request). A CSR is a file that contains the information required for a Certification Authority (CA) to issue a digital certificate. It typically includes the public key and information about the entity (such as organization name, domain name, and contact details) for which the certificate is being requested. The entity generates the CSR and submits it to the CA as part of the certificate issuance process. CBC (Cipher Block Chaining), CFB (Cipher Feedback), and CRL (Certificate Revocation List) are not directly related to the process of requesting a digital certificate. CBC and CFB are modes of operation used in cryptographic algorithms, while CRL is a list that contains information about revoked certificates.

Answer 298

Risk acceptance Residual risk refers to the level of risk that remains after risk mitigation measures have been implemented. It represents the risk that an organization or individual is willing to accept or tolerate. Risk acceptance involves acknowledging and accepting the existence of residual risk and consciously deciding not to implement further risk mitigation measures, either because the cost of additional controls outweighs the potential impact of the risk or because it aligns with the risk appetite of the organization. Risk deterrence, risk transference, and risk avoidance are strategies used to manage risk but are not specifically associated with residual risk. Risk deterrence focuses on discouraging potential risks through preventive measures, risk transference involves shifting the risk to a third party (such as through insurance), and risk avoidance entails avoiding activities or situations that pose a significant risk altogether.

Answer 299

Risk avoidance Risk avoidance is a risk management strategy that involves taking actions to eliminate or avoid certain risks altogether. It aims to minimize exposure to potential threats by implementing measures to prevent or stop activities that could lead to adverse consequences. In the given example, the organization chooses to disable system functions or shut down the system to avoid the identified risks and mitigate their potential impact. Risk acceptance refers to the conscious decision to accept the existence of residual risk and not implement further risk mitigation measures. Risk transference involves shifting the risk to a third party, such as through insurance or outsourcing. Risk deterrence focuses on discouraging potential risks through preventive measures.

Answer 300

Risk transference Risk transference is a risk management strategy that involves shifting the responsibility for managing a risk to a third party. In the given example, the company acknowledges that their employees lack the required skills for the specialized technical component, and instead of trying to develop those skills internally, they transfer the risk by contracting out the task to a third-party vendor or service provider who possesses the necessary expertise. Risk deterrence focuses on discouraging potential risks through preventive measures. Risk avoidance involves taking actions to eliminate or avoid certain risks altogether. Risk acceptance refers to the conscious decision to accept the existence of residual risk and not implement further risk mitigation measures.

Answer 301

Risk transference. Risk transference is a risk management strategy where an organization transfers the financial impact of potential risks to an insurance provider. In the case of cybersecurity insurance, the organization transfers the risk of financial losses resulting from cyber incidents or data breaches to the insurance company. If a cyber incident occurs and causes financial damages, the organization can file a claim with their cybersecurity insurance provider to mitigate the financial impact. Risk avoidance involves taking actions to eliminate or avoid certain risks altogether. Risk deterrence focuses on discouraging potential risks through preventive measures. Risk acceptance refers to the conscious decision to accept the existence of residual risk and not implement further risk mitigation measures.

Answer 302

Implementation of security controls. Risk mitigation involves taking proactive measures to reduce the likelihood or impact of identified risks. One common approach to risk mitigation in cybersecurity is the implementation of various security controls. These controls can include measures such as firewalls, intrusion detection systems, access controls, encryption, and regular security patches and updates. By implementing these security controls, organizations aim to mitigate the risks associated with potential threats and vulnerabilities, thereby reducing the likelihood of successful attacks or minimizing their impact if they occur. System shutdown, IT personnel outsourcing, and cybersecurity insurance are not specific examples of risk mitigation strategies. System shutdown may be a response to a risk or incident, but it is not a proactive mitigation measure. IT personnel outsourcing and cybersecurity insurance are examples of risk transference strategies, where the organization transfers the risk to external entities rather than mitigating it directly.

Answer 303

Risk register A risk register is a document that systematically captures and records information about identified risks within an organization. It provides detailed information about each risk, including its description, likelihood, impact, risk owner, mitigation measures, and current status. The risk register helps in centralizing and organizing the information related to cybersecurity risks, allowing for better risk management and decision-making. A risk heat map and risk matrix are visual representations of risks that help prioritize and assess their severity but do not typically contain detailed information. A risk repository is a broader term that can refer to a centralized storage or database of risk-related information, which may include the risk register but can also encompass other risk-related documents and artifacts.

Answer 304

Quantitative risk assessment Quantitative risk assessment involves assigning numerical values to various components of risk, such as asset value, threat likelihood, and potential loss. It aims to quantify the potential impact and financial implications of risks by using mathematical calculations and data analysis. The Single Loss Expectancy (SLE) is a quantitative metric that represents the estimated monetary value associated with a single occurrence of a risk event or loss. It is calculated by multiplying the asset value by the exposure factor, which represents the percentage of loss that would occur if the risk event happens. On the other hand, qualitative risk assessment involves a more subjective and descriptive evaluation of risks, focusing on qualitative characteristics such as likelihood, impact, and risk prioritization. Risk deterrence and risk acceptance are risk management strategies that are not directly related to the calculation of the Single Loss Expectancy.

Answer 305

Hub: It is a central device that connects multiple devices in a network, allowing them to communicate with each other. Network cabling: It provides the physical medium for transmitting data signals between devices. Repeater: It is used to regenerate and amplify signals to extend the reach of a network over longer distances.

Answer 306

B. AES (Advanced Encryption Standard). AES is a widely used symmetric encryption algorithm that was established as a standard by the National Institute of Standards and Technology (NIST) in 2001. It is considered secure and efficient for encrypting electronic data. RSA (A) is an asymmetric encryption algorithm, DES (C) is an older symmetric encryption algorithm, and PGP (D) is a protocol for secure communication but not a specific encryption algorithm.

Answer 307

Layer 1 The physical layer of the OSI model is responsible for the physical transmission of data over a communication network. It deals with the physical medium, such as cables, connectors, and signalling, and focuses on the electrical, mechanical, and timing aspects of the communication. It is the lowest layer of the OSI model. Layer 2 is the Data Link Layer, Layer 7 is the Application Layer, and Layer 4 is the Transport Layer.

Answer 308

The characteristic components of the OSI data link layer are: 1. MAC address: The data link layer uses MAC (Media Access Control) addresses to uniquely identify devices on a local network. 2. Network switch: Switches operate at the data link layer and are responsible for forwarding data between devices on a local network. 3. Ethernet frame: The data link layer encapsulates network layer packets into frames, which include source and destination MAC addresses, as well as other control information.

Answer 309

Data link layer The Data link layer, also known as Layer 2 of the OSI model, is responsible for the reliable transfer of data between directly connected network nodes. It establishes and terminates the logical link between two devices, handles error detection and correction, and controls access to the physical transmission medium. This layer is concerned with organizing and structuring data into frames and ensuring their proper delivery over the network.

Answer 310

Switch. A switch is a data link layer device that receives data frames from one network segment and forwards them selectively to the appropriate destination on another network segment. It operates at Layer 2 of the OSI model and uses MAC addresses to determine the correct port to forward the frames. Switches provide improved network performance and security by reducing collisions and optimizing bandwidth usage.

Answer 311

1. Router: A router is a network layer device that forwards data packets between different networks based on the destination IP address. 2. IP address: An IP address is a unique identifier assigned to devices on a network, and it is used by the network layer to route data packets to their destinations. 3. Packet: A packet is a unit of data that is encapsulated with network layer headers and trailers, containing the necessary information for routing and delivering the data across networks.

Answer 312

IP (Internet Protocol). IP is responsible for the addressing, routing, and fragmentation of packets in an interconnected network. It provides a standardized format for packet headers that include source and destination IP addresses, as well as other information necessary for the delivery of data across networks.

Answer 313

Layer 3 Layer 3, the network layer, is responsible for logical addressing, routing, and the fragmentation and reassembly of data packets. It provides the necessary functions to enable end-to-end communication between hosts on different networks by using IP addressing and routing protocols.

Answer 314

Transport layer Layer 4 of the OSI model is known as the Transport layer. The Transport layer is responsible for the reliable delivery of data between end systems or hosts. It ensures that data is properly segmented, sequenced, and delivered without errors or loss. It also manages end-to-end communication, flow control, and error recovery mechanisms. Some common protocols operating at Layer 4 include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Answer 315

Session layer Layer 5 of the OSI model is referred to as the Session layer. The Session layer is responsible for establishing, managing, and terminating sessions or connections between applications on different network devices. It provides services such as session establishment, maintenance, and synchronization, as well as checkpointing and recovery of sessions in case of interruptions or failures. The Session layer ensures that data exchanges between applications are organized and coordinated.

Answer 316

Session layer The OSI layer that assumes the responsibility for opening, closing, and maintaining connections between applications is the Session layer. The Session layer (Layer 5) of the OSI model manages the establishment, maintenance, and termination of sessions or connections between applications on different network devices. It provides services for session establishment, synchronization, and coordination, allowing applications to communicate and exchange data in an organized and controlled manner.

Answer 317

Session layer of the OSI model Authentication and authorization typically take place at the Session layer (Layer 5) of the OSI model. The Session layer is responsible for establishing, managing, and terminating sessions between applications. It provides services such as session establishment, session maintenance, and session termination. During the session establishment phase, authentication and authorization mechanisms can be employed to verify the identity of the communicating entities and determine their access privileges. These mechanisms help ensure secure and authorized communication between applications. Thank you for pointing out the mistake.

Answer 318

Layer 6 of the OSI model The term "Presentation layer" refers to Layer 6 of the OSI model. The Presentation layer is responsible for the formatting, encryption, and compression of data to be transmitted across a network. It ensures that data from the application layer is properly formatted and prepared for network transmission. This layer handles tasks such as data encryption and decryption, data compression and decompression, and data syntax conversion. Its main focus is to provide a standardized format for data exchange between different systems.

Answer 319

Presentation layer of the OSI model Data format translation, data compression, and data encryption/decryption take place at the Presentation layer of the OSI model. The Presentation layer is responsible for ensuring that the data sent by the application layer is properly formatted and presented to the receiving application. This layer handles tasks such as data conversion between different data formats, data compression to reduce the size of the data for efficient transmission, and data encryption/decryption to secure the data during transmission. The Presentation layer prepares the data in a way that is independent of the application and network layers, ensuring that the data can be properly understood by the receiving application.

Answer 320

Layer 7 The application layer of the OSI model is also known as Layer 7. The application layer is the topmost layer of the OSI model and is responsible for providing network services and application functionality to end-user applications. It interacts directly with software applications and enables communication and data exchange between different network devices. This layer includes protocols and services that support a wide range of applications such as email, web browsing, file transfer, and remote access. The application layer protocols define the syntax and semantics of the data exchanged between applications, allowing them to communicate with each other over the network.

Answer 321

The protocols that reside at the application layer of the OSI model are: - HTTP (Hypertext Transfer Protocol): Used for web browsing and communication between web clients and servers. - FTP (File Transfer Protocol): Used for transferring files between a client and a server. - SMTP (Simple Mail Transfer Protocol): Used for sending and receiving email messages. These protocols are responsible for providing application-level services and functionality to the end users.

Answer 322

1. Encryption: It involves the use of algorithms to convert data into a format that cannot be easily understood by unauthorized individuals. 2. Access control methods: These are mechanisms and techniques used to control and restrict access to sensitive information. 3. Steganography: It is the practice of hiding information within other seemingly innocuous data to maintain confidentiality.

Answer 323

1. Hashing: It is the process of using a cryptographic hash function to generate a unique hash value for a given set of data. It is used to verify the integrity of the data by comparing the computed hash value with the original hash value. 2. Digital signatures: They are used to ensure the integrity of digital documents or messages. A digital signature is created using the sender's private key and can be verified using the sender's public key, providing assurance that the content has not been altered. 3. Digital certificates: used to verify the authenticity and integrity of digital data. They are issued by a trusted third party called a Certification Authority (CA). A digital certificate includes information about the entity to which it is issued, such as their public key and identity information. The digital certificate is signed by the CA using their private key, creating a digital signature. 4. Non-repudiation: It refers to the concept of preventing someone from denying that they have performed a particular action. In the context of integrity, non-repudiation mechanisms ensure that a sender cannot deny sending a message or making a specific change to a document.

Answer 324

1. Redundancy: Redundancy is the duplication of critical components or systems to ensure that if one fails, another can take its place and maintain the availability of services. 2. Fault tolerance: Fault tolerance refers to the ability of a system or network to continue functioning properly even in the presence of faults or failures. It involves designing systems that can detect and recover from failures to maintain availability. 3. Load balancing: Load balancing is the distribution of network traffic across multiple servers or resources to ensure that no single resource is overwhelmed, optimizing resource utilization and maintaining availability. 4. Patch management: Patch management refers to the process of regularly applying updates and patches to software and systems to address vulnerabilities and improve system stability. Effective patch management helps mitigate risks and maintain system availability.

Answer 325

Insider threat An insider threat refers to individuals within an organization who have authorized access to systems, data, or networks and misuse that access for malicious purposes. In the context of the question, the disgruntled employee is using their legitimate access to harm the company or its resources, making them an insider threat.

Answer 326

1.DLP system (Data Loss Prevention): A DLP system helps prevent unauthorized access, use, or distribution of sensitive data. It can monitor and control data movements, detect and block unauthorized activities, and provide visibility into data handling within the organization. 2. Principle of least privilege: Granting users the minimum level of access required to perform their job responsibilities helps minimize the potential damage that a malicious insider can cause. By limiting privileges, the scope of unauthorized actions is reduced. 3. Usage auditing and review: Regularly monitoring and reviewing user activities, system logs, and access logs can help detect any suspicious or abnormal behaviour by insiders. This enables timely identification of potential threats and allows for appropriate actions to be taken.

Answer 327

Improperly configured accounts When user accounts are improperly configured, it means that they have been granted excessive privileges or permissions that go beyond what is necessary for their job functions. This violates the principle of least privilege, which states that users should only have the minimum privileges required to perform their tasks. Improperly configured accounts can lead to security vulnerabilities and increase the risk of unauthorized access or misuse of resources. It is important to properly manage and configure user accounts to ensure that they align with the principle of least privilege, reducing the potential for security breaches.

Answer 328

CVE (Common Vulnerabilities and Exposures). CVE is a widely recognized and commonly used vulnerability database that provides a standardized identifier for known vulnerabilities. It is maintained by the MITRE Corporation and serves as a comprehensive resource for tracking and documenting vulnerabilities in software and hardware systems. CVE assigns a unique identification number to each vulnerability, making it easier for organizations and security professionals to reference and share information about specific vulnerabilities. It enables better coordination and collaboration in addressing security issues by providing a common language and reference point for vulnerability management. DBA (Database Administrator) refers to a professional responsible for managing and maintaining databases. DBaaS (Database as a Service) refers to a cloud-based service that provides database management and infrastructure. AIS (Automated Information System) refers to a computer system or network used for the collection, processing, storage, and dissemination of information.

Answer 329

Port-based NAC (Network Access Control). 802.1X is an IEEE standard that defines the protocol for port-based network access control. It provides an authentication mechanism for controlling access to network resources, particularly in wired and wireless networks. With 802.1X, devices attempting to connect to a network are required to authenticate themselves before being granted access. This standard is commonly used in enterprise environments to ensure that only authorized devices can connect to the network. It uses the Extensible Authentication Protocol (EAP) framework to facilitate the authentication process, which can involve methods such as username/password, digital certificates, or other authentication mechanisms. While VLAN tagging and token ring networks are network technologies, they are not specific to the implementation of 802.1X. 802.1X is commonly used in wireless networks to secure access points and control device authentication.

Answer 330

Honeypot A honeypot is a monitored host or network resource that is intentionally designed to attract and trap potential attackers. It is typically set up to appear as a valuable target with the aim of diverting the attacker's attention from the actual corporate network or sensitive systems. The honeypot is configured to mimic the behaviour and vulnerabilities of real systems, making it appear enticing to attackers. It can simulate various types of services, such as web servers, email servers, or database servers, to attract different types of attacks. By monitoring the activities on the honeypot, organizations can gain insights into the tactics, techniques, and tools used by attackers, helping them enhance their security defenses and protect their actual network. A captive portal is a web page that requires users to authenticate or agree to terms and conditions before accessing a network. It is commonly used in public Wi-Fi networks or guest networks. A rogue access point refers to an unauthorized wireless access point that has been installed on a network without proper authorization. Flood guard, on the other hand, is a network security mechanism designed to detect and mitigate various types of flooding attacks, such as Distributed Denial of Service (DDoS) attacks.

Answer 331

Spam Spam refers to unsolicited and unwanted bulk messages, typically sent via email, but it can also occur through other communication channels like instant messaging or social media. Spam messages are usually commercial in nature, promoting products, services, or fraudulent schemes. They are sent without the recipient's consent and often in large volumes. Spyware is malicious software designed to gather sensitive information without the user's knowledge or consent. It is typically used for spying on user activities, capturing passwords, or collecting personal data. Adware, on the other hand, is software that displays advertisements on a user's device, often in the form of pop-up ads or banners. While it can be unwanted and disruptive, adware is not necessarily malicious like spyware or malware. Malware is a general term used to describe any malicious software designed to harm or exploit computer systems. It includes various types of harmful programs such as viruses, worms, ransomware, and spyware. While some types of malware may be involved in delivering spam messages, spam itself refers specifically to unsolicited advertising messages rather than the malware itself.

Answer 332

SPIM (Spam over Instant Messaging) SPIM refers to unsolicited advertising messages sent through instant messaging platforms. It involves the sending of unwanted text-based messages containing advertisements or promotional content. SPIM is similar to email spam but is specifically targeted at instant messaging services.

Answer 333

Traffic redirection Fraudulent website Credential harvesting Traffic redirection: Users are redirected to fake websites that closely resemble legitimate websites, with the intention of stealing sensitive information such as login credentials, credit card details, or personal information. Fraudulent website: Pharming involves the creation of counterfeit websites that mimic the appearance and functionality of legitimate websites, aiming to deceive users into providing their personal or financial information. Credential harvesting: refers to the act of capturing and stealing user login credentials, such as usernames and passwords, usually through deceptive means or malicious techniques.

Answer 334

Prepending Prepending refers to the act of adding misleading or deceptive information to a URL, typically at the beginning, in order to trick users into visiting malicious websites or disclosing sensitive information. Thank you for pointing out the error.

Answer 335

Virus hoax. A virus hoax is a type of deceptive message or email that spreads false information about a non-existent computer security threat. It typically tricks users into taking unnecessary actions, such as deleting system files or sharing the message with others. The intention is to create panic or confusion rather than to deliver a genuine security warning.

Answer 336

Websites. In the context of cyber attacks, a watering hole attack is a technique where the attacker compromises a legitimate and trusted website that is frequently visited by the target individuals or group. By exploiting vulnerabilities in the website, the attacker injects malicious code or content that can infect the visitors' devices and gain unauthorized access to their systems. The compromised website serves as the platform for launching the attack, making it a crucial component of the watering hole attack strategy.

Answer 337

Consensus In this scenario, the attacker creates a false sense of consensus by generating fake reviews and testimonials that appear to be from multiple sources. By presenting these fake endorsements, the attacker aims to manipulate the user's perception of the app's popularity and desirability. The user is more likely to trust the app and make a purchasing decision based on the belief that many others have already done so and had positive experiences. This tactic leverages the psychological principle of consensus to influence the user's decision-making process.

Answer 338

Chain of custody In forensic procedures, the chain of custody is a chronological record that documents the handling and movement of evidence from the time it is collected until it is presented in a court of law. It includes detailed information about each person who has had possession of the evidence, along with the date, time, and purpose of the transfer. The chain of custody is essential to maintain the integrity and admissibility of the evidence, ensuring that it has not been tampered with or compromised during the investigation process.

Answer 339

Order of volatility In forensic procedures, the order of volatility refers to a sequence of steps or priorities in which different types of evidence should be collected and preserved based on their volatility or likelihood of being lost or altered over time. It helps investigators prioritize their actions to ensure the preservation of critical evidence before it becomes compromised or inaccessible. The order of volatility typically involves collecting volatile data first, such as live system memory, followed by data from temporary storage, logs, and finally, data from long-term storage. This approach helps maximize the chances of obtaining accurate and complete evidence during the forensic investigation.

Answer 340

C. Cache memory -> RAM -> Swap/Pagefile -> Temporary files -> Disk files -> Archival media In a typical computer system, the order of volatility starts with the most volatile data and progresses to less volatile data. Cache memory is the most volatile as it holds temporary data accessed by the CPU. RAM (Random Access Memory) is the next level, where active processes and data reside. Disk files come next, representing the long-term storage on hard drives or solid-state drives. Temporary files refer to temporary storage areas used by applications. Swap/Pagefile is the virtual memory or paging file used when RAM is insufficient. Lastly, archival media refers to offline or backup storage that is less likely to change or be modified. By following this order of volatility, forensic investigators can prioritize the collection and preservation of data that is more likely to be lost or altered over time, ensuring the integrity of the evidence during the investigation.

Answer 341

Hashing & Checksums Hashing involves generating a unique hash value based on the content of a file, and checksums involve calculating a numerical value based on the contents of a file. By comparing the hash or checksum of the original evidence with the hash or checksum of the acquired evidence, one can verify that the data has not been tampered with or altered. Thank you for pointing out the correct answer.

Answer 342

E-discovery. E-discovery refers to the process of searching, collecting, and securing electronic data for the purpose of using it as evidence in a legal proceeding or investigation. It involves identifying, preserving, and analysing electronically stored information (ESI) that may be relevant to a case. OSINT (Open Source Intelligence) is the process of gathering information from publicly available sources, while white-hat hacking refers to ethical hacking performed by security professionals. Active reconnaissance involves actively scanning and probing a target system or network to gather information.

Answer 343

Memdump. Memdump is a forensic utility used to extract the contents of RAM (Random Access Memory) from a computer system. It allows forensic investigators to capture and analyse volatile data stored in the computer's memory, which can be valuable in investigating security incidents and gathering evidence. WinHex and FTK Imager are forensic tools that offer a wide range of capabilities, including disk imaging and data analysis. Autopsy is an open-source digital forensics platform that provides a comprehensive set of tools for analysing disk images and other digital evidence, but it does not specifically focus on RAM extraction.

Answer 344

Bypasses security controls Actively tests security controls Exploits vulnerabilities Here's a brief explanation for each point: 1. Bypasses security controls: Penetration testing aims to simulate real-world attack scenarios, which may involve bypassing or circumventing security controls to gain unauthorized access. This helps identify any weaknesses or gaps in the security infrastructure. 2. Actively tests security controls: Penetration testing involves active and intentional attempts to exploit vulnerabilities and test the effectiveness of security controls. It goes beyond passive assessment by actively probing the system for potential weaknesses. 3. Exploits vulnerabilities: The primary objective of penetration testing is to identify vulnerabilities that can be exploited by attackers. By deliberately exploiting these vulnerabilities, the penetration tester can provide insights into the potential impact and risks associated with the identified weaknesses. Overall, penetration testing is a proactive approach to assess the security posture of a system or network. It helps organizations identify vulnerabilities, validate the effectiveness of security measures, and take proactive measures to mitigate risks and enhance their overall security stance.

Answer 345

White-box testing White-box testing is a form of penetration testing where the tester has full knowledge and access to the internal workings of the system being tested. This includes information about the system's architecture, source code, network infrastructure, and any other relevant details. With this insider knowledge, the tester can conduct a comprehensive analysis of the system's security controls, identify potential vulnerabilities, and simulate real-world attack scenarios. Unlike black-box testing, where the tester has no prior knowledge of the system, white-box testing allows for a more thorough and targeted assessment. It enables the tester to focus on specific areas of concern, perform in-depth analysis, and validate the effectiveness of security measures in place. White-box testing is typically conducted by authorized professionals, commonly known as "white-hat hackers," who adhere to ethical guidelines and work in collaboration with the organization being tested.

Answer 346

Gray-box testing Gray-box testing is a type of penetration testing where the tester has limited knowledge and access to information about the internal workings of the targeted system. The tester has some level of understanding about the system's architecture, design, or specific components, but not the full insider knowledge that would be available in white-box testing. In gray-box testing, the tester aims to simulate the perspective of an attacker with some knowledge of the system. This allows them to better understand potential attack vectors, identify vulnerabilities, and assess the effectiveness of security controls from an external standpoint. Gray-box testing strikes a balance between the comprehensive analysis of white-box testing and the external perspective of black-box testing. Gray-box testing can provide valuable insights into the security posture of a system, as it combines elements of both internal and external assessments. It is often conducted by professional penetration testers or security consultants who work closely with the organization being tested to ensure a thorough evaluation while maintaining a degree of realism.

Answer 347

War driving War driving refers to the act of searching for and mapping wireless networks by driving around with a device equipped with Wi-Fi capabilities. It is typically done with the intent of identifying vulnerable or unprotected networks for malicious purposes. An optimal Wireless Access Point (WAP) antenna placement can help mitigate the risk of war driving. By strategically positioning the WAP antennas, the wireless network's signal strength and coverage can be optimized within the desired area, while minimizing the signal leakage beyond the intended boundaries. This makes it more difficult for war drivers to detect and access the network from outside the designated areas. While war chalking, spoofing, and insider threats are all valid security concerns in the context of wireless networks, an optimal antenna placement specifically addresses the risk of war driving.

Answer 348

Active reconnaissance in penetration testing OSINT (Open Source Intelligence) refers to the collection and analysis of information from publicly available sources. It involves gathering information from sources such as websites, social media platforms, public records, news articles, and other publicly accessible information. OSINT is typically conducted in a passive manner, meaning that the information is gathered without directly interacting with the target or system being assessed. It focuses on observing, collecting, and analyzing existing information. On the other hand, active reconnaissance in penetration testing involves actively probing and interacting with the target system to gather information. This can include activities like port scanning, vulnerability scanning, or network probing. Active reconnaissance is typically part of the overall penetration testing process and goes beyond the scope of traditional OSINT. Therefore, while OSINT can provide valuable information for penetration testing, it is a passive process that does not involve active reconnaissance activities.

Answer 349

An attacker

Answer 350

White team

Answer 351

- Also known as administrative controls - Focused on managing risk - Documented in written policies Managerial security controls, also known as administrative controls, are a category of controls that focus on managing and mitigating risks within an organization. They involve the development and implementation of policies, procedures, and guidelines to guide the day-to-day operations of an organization and ensure compliance with security requirements. These controls are typically documented in written policies and are aimed at reducing risks and improving the overall security posture of the organization. They are implemented and enforced by management and play a crucial role in establishing a security framework and governance structure within an organization.

Answer 352

- Organizational security policy - Risk assessments - Vulnerability assessments Managerial security controls are focused on managing and mitigating risks within an organization. They involve the development and implementation of policies, procedures, and guidelines to guide the day-to-day operations of an organization and ensure compliance with security requirements. Examples of managerial security controls include: 1. Organizational security policy: This is a documented policy that outlines the organization's approach to security, including objectives, responsibilities, and guidelines for implementing security measures. 2. Risk assessments: These are systematic processes for identifying, analyzing, and evaluating potential risks to the organization's assets and operations. Risk assessments help identify areas of vulnerability and inform decision-making regarding security controls. 3. Vulnerability assessments: These involve the systematic identification and evaluation of vulnerabilities within the organization's systems, networks, and infrastructure. Vulnerability assessments help identify weaknesses that could be exploited by attackers and inform the implementation of appropriate security controls. Configuration management and data backups, on the other hand, fall into the category of technical security controls rather than managerial controls. Configuration management involves managing and controlling changes to system configurations to ensure security and stability. Data backups are a protective measure to create copies of important data to prevent data loss in case of incidents or disasters.

Answer 353

- Configuration management - Data backups - Awareness training Operational security controls are focused on the day-to-day procedures and practices within an organization to ensure the ongoing security of systems and data. They involve the implementation and management of specific measures to protect against threats and vulnerabilities. Examples of operational security controls include: 1. Configuration management: This involves establishing and maintaining a secure configuration for systems and devices. It includes practices such as securely configuring operating systems, applications, and network devices, as well as managing changes to configurations to prevent unauthorized access or unintended changes that could compromise security. 2. Data backups: Data backups are an essential operational control that involves regularly creating copies of important data and storing them securely. Data backups ensure that in the event of data loss due to system failure, human error, or malicious activity, the organization can restore the data and resume normal operations. 3. Awareness training: Awareness training programs are designed to educate employees about various aspects of security, including best practices, policies, and procedures. These programs aim to raise awareness about potential threats and vulnerabilities, teach employees how to identify and respond to security incidents, and promote a security-conscious culture within the organization. These operational security controls help organizations mitigate risks and ensure the ongoing protection of their systems, data, and assets.

Answer 354

- Focused on the day-to-day procedures of an organization - Used to ensure that the equipment continues to work as specified - Primarily implemented and executed by people (as opposed to systems) Operational security controls are concerned with the practical implementation and execution of security measures within an organization. They involve the day-to-day procedures, practices, and actions that help maintain the security of systems, networks, and data. Examples of operational security controls include: 1. Focused on the day-to-day procedures of an organization: Operational controls are designed to address the specific operational aspects of security. They include activities such as user management, incident response, access control, security awareness training, and security monitoring. These controls are implemented to ensure that security measures are consistently followed in daily operations. 2. Used to ensure that the equipment continues to work as specified: Operational controls also include activities related to the maintenance, monitoring, and upkeep of hardware and software systems. This includes tasks such as patch management, system updates, configuration management, and regular system backups. These controls aim to ensure that the equipment and systems function as intended and remain secure. 3. Primarily implemented and executed by people (as opposed to systems): Operational controls heavily rely on the actions and decisions of individuals within the organization. They require proper training, awareness, and adherence to security policies and procedures by employees. Examples include access control procedures, incident response protocols, and security awareness training programs. Operational security controls are essential for maintaining the security posture of an organization and reducing risks associated with day-to-day operations. They complement other categories of security controls, such as technical and physical controls, to create a comprehensive security framework.

Answer 355

- Sometimes called logical security controls - Executed by computer systems (instead of people) - Implemented with technology Technical security controls are implemented using technology and systems to protect against security threats and vulnerabilities. They focus on the technical aspects of security and utilize various mechanisms to ensure the confidentiality, integrity, and availability of systems and data. Examples of technical security controls include: 1. Sometimes called logical security controls: Technical controls are often referred to as logical security controls because they involve the use of logical measures to protect systems and data. These controls include access control mechanisms, encryption, intrusion detection systems, firewalls, and secure coding practices. 2. Executed by computer systems (instead of people): Technical controls are executed and enforced by computer systems, software applications, and network infrastructure. These controls operate automatically without requiring direct human intervention. Examples include access control lists (ACLs) implemented on network devices, automated security scanning tools, and security event logging systems. 3. Implemented with technology: Technical controls rely on the use of technology and tools to enforce security measures. This includes the deployment of security software, hardware devices, and other technological solutions. Examples include antivirus software, data loss prevention (DLP) systems, encryption algorithms, and secure network protocols. Technical security controls work in conjunction with administrative and operational controls to create a comprehensive security framework. They provide mechanisms for protecting systems and data from unauthorized access, mitigating risks, and detecting and responding to security incidents.

Answer 356

- Encryption protocols - Firewall ACLs - Authentication protocols Technical security controls utilize technology and mechanisms to protect systems and data. They focus on implementing safeguards at a technical level to ensure the confidentiality, integrity, and availability of information. Examples of technical security controls include: 1. Encryption protocols: Encryption is a technique used to transform data into a secure form that can only be accessed with the appropriate decryption key. Encryption protocols, such as SSL/TLS for secure web communication or PGP for email encryption, are used to protect data during transmission and storage. 2. Firewall ACLs: Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined rules. Access Control Lists (ACLs) are a component of firewalls that specify which network traffic is allowed or denied based on factors like IP addresses, ports, and protocols. 3. Authentication protocols: Authentication protocols verify the identity of users or systems attempting to access a network or resource. Examples include protocols like the Remote Authentication Dial-In User Service (RADIUS) or the Lightweight Directory Access Protocol (LDAP) used for centralized user authentication. Security audits, organizational security policy, and configuration management are important aspects of overall security, but they are more closely associated with administrative or operational controls rather than technical controls.

Answer 357

- Security guards - System hardening - Separation of duties Preventive security controls are measures implemented to proactively prevent security incidents or unauthorized access to systems and data. They aim to minimize the likelihood of threats being successful. 1. Security guards: Physical security controls include measures such as security guards. These controls are designed to physically protect the premises, assets, and infrastructure from unauthorized access, theft, vandalism, or other physical threats. 2. System hardening: System hardening involves implementing security configurations and measures to reduce vulnerabilities and enhance the security of systems. This can include actions such as applying patches and updates, disabling unnecessary services and accounts, configuring strong passwords, and implementing security protocols like encryption. 3. Separation of duties: Separation of duties is a practice that involves dividing critical tasks and responsibilities among multiple individuals. This ensures that no single person has complete control or authority over a process or system. By separating duties, the risk of unauthorized access, fraud, and errors is reduced, as multiple individuals are required to work together to complete a task. These preventive security controls work together to minimize the likelihood of security incidents and unauthorized access. Physical security measures protect against physical threats, system hardening strengthens the security posture of systems, and separation of duties limits the potential for unauthorized actions by individuals.

Answer 358

The examples of detective security controls are log monitoring, security audits, CCTV, and intrusion detection systems (IDS). 1. Log monitoring: This involves the continuous monitoring and analysis of system logs and event records to detect and investigate any suspicious activities or security breaches. By reviewing log entries from various systems and applications, organizations can identify potential security incidents. 2. Security audits: Security audits are comprehensive assessments of an organization's security controls, policies, and procedures. They are conducted to identify vulnerabilities, weaknesses, and compliance gaps in the security infrastructure. Through security audits, organizations can detect and address potential security issues. 3. CCTV (Closed-Circuit Television): CCTV refers to video surveillance systems that use cameras to monitor and record activities in specific areas. It is a detective security control as it provides visual monitoring and recording capabilities, allowing organizations to review footage for identifying security incidents or suspicious behaviour. 4. Intrusion Detection Systems (IDS): IDS is a technology that monitors network traffic, system activities, and behaviours to identify signs of unauthorized access, intrusion attempts, or malicious activities. It analyses network packets, log files, and other data sources to detect and alert on potential security threats.

Answer 359

Corrective security controls include: 1. IPS (Intrusion Prevention System): An IPS actively monitors network traffic and takes immediate action to prevent and correct potential intrusions or security threats. It detects and blocks malicious activities, helping to correct security incidents in real-time. 2. Backups and system recovery: Regular backups and system recovery processes are crucial for correcting security incidents or data loss. By having up-to-date backups and well-defined recovery procedures, organizations can restore data and systems to a known good state after a security breach or system failure. 3. Alternative site: An alternative site, also known as a disaster recovery site or backup site, is a location where critical systems and data can be transferred and restored in the event of a disaster or significant disruption. It provides a means to correct the impact of a security incident by ensuring continuity of operations at an alternate location. 4. Fire suppression system: A fire suppression system is a corrective security control designed to detect and suppress fires in facilities or data centres. By quickly responding to fire incidents, it helps to minimize damage and correct the situation, allowing for the resumption of normal operations. These controls are specifically implemented to correct and mitigate the impact of security incidents, breaches, or disruptions in order to restore normalcy and protect the organization's assets.

Answer 360

The examples of deterrent security controls include: 1. Warning signs: Displaying warning signs in visible locations can deter potential intruders or unauthorized individuals from attempting to breach security measures. These signs may indicate the presence of surveillance, restricted areas, or consequences for unauthorized access. 2. Lighting: Adequate lighting in and around premises can serve as a deterrent by increasing visibility and reducing hiding spots. Well-lit areas are less attractive to potential intruders and can make it easier to detect suspicious activities. 3. Login banners: Login banners are messages displayed before the authentication process on computer systems or networks. They can serve as a deterrent by warning users about acceptable use policies, legal consequences, or monitoring activities, discouraging unauthorized access or misuse. Deterrent security controls are designed to discourage potential threats or unauthorized activities by creating an environment that appears difficult or risky to exploit. They aim to influence behaviour and prevent security incidents from occurring in the first place.

Answer 361

Compensating security controls are additional measures implemented to compensate for the limitations or gaps in primary security controls. Examples of compensating security controls include: 1. Backup power system: A backup power system ensures that critical systems and infrastructure remain operational during power outages or disruptions, mitigating the risk of service interruptions and data loss. 2. Sandboxing: Sandboxing isolates potentially malicious software or processes in a controlled environment, preventing them from affecting the overall system. It compensates for the risk of executing unknown or untrusted applications by containing them within a secure sandbox. 3. Temporary port blocking: Temporary port blocking involves selectively blocking or restricting specific network ports temporarily to prevent unauthorized access or to address security vulnerabilities. It serves as a compensatory measure when traditional security controls are insufficient to mitigate specific risks. 4. Temporary service disablement: Temporary service disablement involves temporarily disabling certain services or functionalities to mitigate immediate security risks. It can be applied in situations where vulnerabilities or threats are identified, providing a compensatory action until a permanent solution is implemented. These compensating security controls help mitigate risks and enhance the overall security posture by providing additional layers of protection or addressing specific vulnerabilities when the primary controls are inadequate or unavailable.

Answer 362

Physical security control Physical security controls involve the use of physical measures, such as security personnel, access controls, video surveillance, and alarms, to protect physical assets, facilities, and people. These controls are designed to prevent unauthorized access, deter potential threats, and ensure the physical security and safety of an organization's resources.

Answer 363

Cable lock A cable lock is a device that allows you to secure your laptop to a fixed object, such as a desk or table, using a strong cable and lock. This helps prevent opportunistic theft by making it difficult for someone to grab and walk away with the laptop. Cable locks are commonly used in office settings, libraries, and other public spaces to enhance the physical security of laptops and deter theft.

Answer 364

USB data blocker The physical security control that can be implemented as a Data Loss Prevention (DLP) solution is the USB data blocker. A USB data blocker is a device that allows charging of a device via a USB port while blocking data transfer. It ensures that only power flows through the USB connection while preventing unauthorized data access or potential malware infections. By using a USB data blocker, organizations can mitigate the risk of data loss or theft through unauthorized USB connections. Visitor logs, CCTV (Closed-Circuit Television), and motion detection are physical security controls that are not directly related to DLP solutions but are commonly used for overall physical security and surveillance purposes.

Answer 365

1. Proximity card reader: A proximity card reader is a device that reads access control cards or key fobs when they are presented within close proximity. It verifies the card's unique identifier and grants access to individuals with authorized cards, helping to restrict entry to authorized personnel only. 2. Smart card reader: A smart card reader is a device that reads and processes data stored on a smart card. Smart cards are embedded with integrated circuits and can store more information compared to proximity cards. By using a smart card reader, access to a door can be restricted to individuals who possess a valid smart card and have the necessary credentials. Air gap, CCTV, and industrial camouflage are not directly related to securing door access but may be applicable to other aspects of physical security.

Answer 366

1. Physical security control type: A Faraday cage is classified as a physical security control. It is a structure or enclosure designed to physically restrict access and provide protection to the contents inside. 2. Provides protection against RFI (Radio Frequency Interference): A Faraday cage effectively blocks and attenuates external radio frequency signals, preventing them from entering the enclosed space and interfering with sensitive electronic devices or signals. 3. Provides protection against EMI (Electromagnetic Interference): Similarly, a Faraday cage shields against electromagnetic interference, preventing external electromagnetic waves from penetrating the enclosure and disrupting the functioning of electronic equipment within. These characteristics make the Faraday cage an effective physical security measure for mitigating the risks associated with RFI and EMI.

Answer 367

Degaussing Degaussing provides the most effective way for permanent removal of data stored on a magnetic drive. Degaussing involves using a strong magnetic field to disrupt the magnetic domains on the drive, rendering the data unrecoverable. It erases the entire drive, including the data stored in individual sectors and files. Degaussing is considered a secure method for data destruction as it eliminates the possibility of data recovery.

Answer 368

Air gap An air gap refers to a complete physical separation between a computer or network and any external networks. It means that the system or network is not connected to any external network, including the internet. This isolation helps to prevent unauthorized access, data breaches, and malware infections that may occur through network connections.

Answer 369

Copyright Law. Copyright law provides the creator of an original work, such as software code, with exclusive rights to reproduce, distribute, and display the work. By obtaining copyright protection for the source code, the software developer can legally prevent others from copying or using their code without permission. It provides a strong legal basis for enforcing intellectual property rights and pursuing legal action against those who infringe upon the copyright.

Answer 370

D. Standard operating procedure A standard operating procedure (SOP) is a set of documented instructions that outlines the steps, actions, and considerations required to perform a specific task or process in a consistent and standardized manner. In this case, having an SOP would assist Donna and others in her organization by providing clear guidelines on how to handle requests for accessing employee email accounts. The SOP would outline the necessary steps, approval processes, and considerations to ensure that access is granted only when there is a valid business need and in accordance with organizational policies and legal requirements. It helps ensure consistency, transparency, and accountability in decision-making related to granting access to sensitive resources like email accounts.

Answer 371

C. Stateful inspection Stateful inspection is a firewall technology that keeps track of the state of network connections. It monitors the stages of the TCP handshake, including the initial connection setup, and maintains a record of the connection's state. By doing so, it can make more informed decisions about allowing or blocking packets that are part of an active connection. Stateful inspection firewalls offer improved security and performance compared to stateless firewalls, which do not maintain information about the connection state.

Answer 372

B. Detective Tuning an Intrusion Detection System (IDS) to reduce the false positive rate is an activity associated with improving its ability to detect and identify potential security incidents. The primary purpose of an IDS is to detect and analyse suspicious activities or events within a network. By reducing false positives, the IDS becomes more accurate in identifying genuine security threats, enhancing its effectiveness as a detective control.

Answer 373

D. Twice as strong Increasing the length of a key by a single bit doubles the number of possible combinations that an attacker would need to try in a brute force attack. Each additional bit doubles the number of possible key combinations. Therefore, the key becomes twice as strong against a brute force attack.

Answer 374

D. APT (Advanced Persistent Threat) An APT, or Advanced Persistent Threat, is an attacker type that typically engages in sophisticated and targeted attacks. They are known for exploiting zero-day vulnerabilities, which are vulnerabilities that are unknown to the public and for which no patch or fix is available. APT attackers invest significant resources and time in their attacks and aim to maintain long-term access to a target network for intelligence gathering or other malicious activities.

Answer 375

Synchronous replication Waiting for acknowledgement of receipt after duplicating a system is typically associated with synchronous replication. Synchronous replication is a data replication method that ensures that data is simultaneously written to multiple locations in real-time, providing strong consistency and durability.

Answer 376

B. information security code of practice ISO/IEC 27002, also known as ISO/IEC 27002:2013, is an information security code of practice. It provides detailed guidance and best practices for implementing and managing information security controls within an organization. It covers a wide range of security areas, including risk assessment, security policy, organization of information security, asset management, access control, cryptography, physical and environmental security, security incident management, business continuity, and more. ISO/IEC 27002 is designed to assist organizations in establishing and maintaining effective information security management systems, ensuring the confidentiality, integrity, and availability of their information assets.

Answer 377

B. is granted access rights to a directory When a user authorization occurs, the system verifies and grants the user the necessary access rights to a specific directory. This means that the user is given permission to perform certain actions, such as reading, writing, or modifying files within that directory. The system ensures that the user has the necessary privileges and credentials to access and interact with the directory securely and according to the defined permissions and restrictions set by the system administrator.

Answer 378

Mirroring RAID 1, also known as "mirroring," describes a configuration where data is duplicated across multiple drives. In this setup, two or more disks are used, and data is written simultaneously to each disk, creating an exact copy or mirror of the data. RAID 1 provides fault tolerance as it allows for the continued operation of the system even if one of the drives fails. It is commonly used to enhance data redundancy and improve data availability in storage systems.

Answer 379

warm standby In a warm standby setup, a duplicate system is maintained and kept in a partially operational state. The system is configured and prepared with the necessary software and configurations, but the data is typically not synchronized in real-time. Instead, data is loaded to a known backup point, which is usually a recent backup or snapshot of the data. This setup allows for a faster recovery process in case of a failure or system outage.

Answer 380

PKI is the framework for deploying asymmetric cryptography systems. PKI is a framework that provides the necessary infrastructure for managing and deploying public key cryptography. It includes components such as certificate authorities, digital certificates, and protocols like X.509 for establishing trust and secure communication. Asymmetric cryptography, which involves the use of public and private key pairs, is a fundamental aspect of PKI.

Answer 381

B) RADIUS (Remote Authentication Dial-In User Service). RADIUS is a widely adopted networking protocol that provides AAA services for network access. It is a standard and open protocol, making it a suitable choice to avoid proprietary solutions. RADIUS facilitates centralized authentication, authorization, and accounting for various network services, including wireless and remote access. Using RADIUS as the AAA solution, the security analyst can ensure consistent and secure access control across wireless and remote access network services without relying on proprietary technologies. Option A, TACACS+ (Terminal Access Controller Access-Control System Plus), is a proprietary protocol that offers similar functionality to RADIUS but is not explicitly mentioned as a requirement to avoid proprietary solutions. Option C, OAuth (Open Authorization), is an authorization framework primarily used for granting access to third-party applications using tokens. While it plays a role in access control, it is not a dedicated AAA solution for network services. Option D, MS Access Database, is not a suitable technology for providing AAA services in an organization's network infrastructure. It is a relational database management system and does not offer the necessary functionality for AAA services like authentication, authorization, and accounting.

Answer 382

C. MDM. (Mobile Device Management Mobile Device Management (MDM) is a technology that allows organizations to manage and secure mobile devices used by their employees. It provides centralized control and administration over various aspects of mobile devices, including security settings, configuration, application management, and data protection.

Answer 383

D) Patch the OS to the latest version. Patching the operating system (OS) to the latest version is the most critical initial step when setting up a new web server. This action ensures that the server benefits from the latest security updates, bug fixes, and improvements provided by the OS vendor.

Answer 384

A) By ensuring appropriate data isolation and logical storage segregation. To maintain data confidentiality and prevent unauthorized access in a shared server environment, a cloud service provider should implement effective data isolation and logical storage segregation practices. Here's how this can be achieved: Data Isolation: The cloud service provider should implement measures to ensure that each client's data is stored separately and isolated from other clients' data. This can be achieved through techniques such as virtualization, where each client's data resides in separate virtual environments or containers. Logical Storage Segregation: The provider should employ logical controls to segregate and restrict access to client data. This includes using access control mechanisms, strong authentication, and authorization protocols to ensure that only authorized users have access to specific data. By implementing these measures, the cloud service provider can prevent unauthorized access and minimize the risk of one client accessing data belonging to another in a shared server environment.

Answer 385

B) Hypervisor. The hypervisor, also known as a virtual machine monitor (VMM), is the core component in a virtualized environment that enables the creation and management of multiple virtual machines (guest machines) on a single physical host machine.

Answer 386

A) Public. In a public cloud delivery model, the cloud infrastructure and services are provided by a third-party cloud service provider and made available to the general public or multiple organizations. The key characteristic of a public cloud is that it operates on shared infrastructure, where multiple clients share the same underlying resources.

Answer 387

Anomaly based intrusion detection. Zero-day attacks are characterized by exploiting vulnerabilities that are unknown to the software vendor, hence there are no specific signatures or patterns to detect them. In such cases, anomaly-based intrusion detection systems are often more effective.

Answer 388

Integrity. Integrity in information security refers to maintaining the accuracy, completeness, and consistency of data throughout its lifecycle. It ensures that data remains unaltered and reliable, preventing unauthorized or unintended modifications.

Answer 389

Windows Desktop Systems. Syslog is a standard protocol used for logging and sending system log messages in a network. While Linux-based systems, such as Linux Web Server Appliances (option C), typically have native support for syslog and can generate syslog events, Windows Desktop Systems (option B) do not natively support syslog.

Answer 390

Security control Security controls are safeguards designed to reduce specific security risks. The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

Answer 391

A manual that provides details about what actions to take.

Answer 392

Application that collects and analyzes log data to monitor an organization’s critical activities

Answer 393

A tool used to visually communicate information or data

Answer 394

A record of events that occur within an organization’s systems.

Answer 395

network protocol analyzer (packet sniffer)

Answer 396

To identify vulnerabilities and potential security breaches

Answer 397

playbook A Playbook is a manual that provides details about operational actions.

Answer 398

Python and SQL can be used to perform repetitive, time-consuming tasks and/or request information from a database.

Answer 399

Structured Query Language (SQL) Security professionals use Structured Query Language (SQL) to interact with and request information from a database.

Answer 400

Create a specific set of instructions for a computer to execute tasks Complete repetitive tasks and processes Programming is typically used to complete repetitive tasks and processes and create a specific set of instructions for a computer to execute tasks.

Answer 401

Operating system Linux is an open-source operating system that can be used to examine logs.

Answer 402

False A playbook is a manual that provides details about any operational action, including incident response, security or compliance reviews, access management, and many other organizational tasks that require a documented process from beginning to end.

Answer 403

Providing alerts for specific types of risks Proactively searching for threats Performing incident analysis

Answer 404

Security information and event management (SIEM)

Answer 405

An intrusion detection system (IDS) A network protocol analyzer (packet sniffer)

Answer 406

They can be used to create a specific set of instructions for a computer to execute tasks. They filter through data points faster than humans can working manually. They execute repetitive processes accurately.

Answer 407

command line

Answer 408

It helps ensure accuracy. It saves time.

Answer 409

Managing and securing physical networks and wireless communications

Answer 410

Optimizing data security by using effective tools, systems, and processes

Answer 411

Security goals and objectives, risk mitigation, compliance, business continuity, and the law

Answer 412

Securing assets; storage, maintenance, retention, and destruction of data

Answer 413

Using access, authorization, and established policies to secure data and manage assets

Answer 414

Conducting investigations and implementing preventative measures

Answer 415

Using secure coding practices to create secure applications and services

Answer 416

Conducting security control testing and audits, collecting and analysing data

Answer 417

Identity and access management The identity and access management domain is focused on access and authorization to keep data secure by making sure that users follow established policies to control and manage assets.

Answer 418

Define security goals and objectives, risk mitigation, compliance, business continuity, and regulations The focus of the security and risk management domain is defining security goals and objectives, risk mitigation, compliance, business continuity, and regulations.

Answer 419

Security assessment and testing In the security assessment and testing domain, a security professional conducts security control testing; collects and analyzes data; and performs security audits to monitor for risks, threats, and vulnerabilities. The security architecture and engineering domain is focused on optimizing data security by ensuring effective tools, systems, and processes are in place to protect an organization’s assets and data.

Answer 420

security operations The security operations domain concerns conducting investigations and implementing preventative measures.

Answer 421

A weakness that can be exploited by a threat

Answer 422

high-risk asset Information protected by regulations or laws is a high-risk asset. If it is compromised, there is likely to be a severe negative impact on an organization’s finances, operations, or reputation.

Answer 423

Financial damage Identity theft Damage to reputation

Answer 424

categorize The steps in the RMF are prepare, categorize, select, implement, assess, authorize, and monitor. In the categorize step, security professionals develop risk-management processes and tasks.

Answer 425

Maintain business continuity Mitigate risk Follow legal regulations

Answer 426

Business continuity

Answer 427

Security architecture and engineering

Answer 428

Identity and access management

Answer 429

Collect and analyze data Conduct security control testing Perform security audits

Answer 430

Initiating a secure design review Conducting secure code reviews Performing penetration testing

Answer 431

If compromised, a medium-risk asset may cause some damage to an organization's finances. Organizations often rate risks at different levels: low, medium, and high. Website content or published research data are examples of low-risk assets.

Answer 432

They are used to establish guidelines for building security plans.

Answer 433

False People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.

Answer 434

Authentication This describes authentication, which is the process of implementing controls to verify who someone or something is before granting access to specific resources within a system.

Answer 435

risk The confidentiality, integrity, availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies.

Answer 436

You frequently sign into your bank account to check your balances.

Answer 437

You recently shopped at Store Y and verify you were charged correctly.

Answer 438

You must use two-factor authentication before signing into an employee portal.

Answer 439

A foundational security model used to set up security policies and systems

Answer 440

Confidentiality

Answer 441

Availability Availability specifies that data is accessible to authorized users.

Answer 442

Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk

Answer 443

Return affected systems back to normal operation

Answer 444

When communicating the results of an internal audit to stakeholders, the communication should include a summary of the audit's scope and goals; a list of risks and compliance requirements that need to be addressed; and a recommendation about how to improve the organization’s security posture.

Answer 445

Controls assessment This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.

Answer 446

A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations.

Answer 447

Minimize the attack surface This scenario describes minimizing the attack surface. Separation of duties means that no one should be given so many privileges that they can misuse the system.

Answer 448

Security framework Guidelines used for building plans to help mitigate risk and threats to data and privacy

Answer 449

Integrity The idea that the data is correct, authentic, and reliable

Answer 450

Biometrics The unique physical characteristics that can be used to verify a person’s identity

Answer 451

encryption The process of converting data from a readable format to an encoded format

Answer 452

The detect function of the CSF involves improving monitoring capabilities to increase the speed and efficiency of detections. Restoring affected files or data is part of the recover function of the CSF. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. -------------------------------------------------------- Identify The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Identifying physical and software assets within the organization to establish the basis of an Asset Management program Identifying the Business Environment the organization supports including the organization's role in the supply chain, and the organizations place in the critical infrastructure sector Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organizations Risk Assessment Identifying a Risk Management Strategy for the organization including establishing risk tolerances Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks Protect The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Protections for Identity Management and Access Control within the organization including physical and remote access Empowering staff within the organization through Awareness and Training including role based and privileged user training Establishing Data Security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information Implementing Information Protection Processes and Procedures to maintain and manage the protections of information systems and assets Protecting organizational resources through Maintenance, including remote maintenance, activities Managing Protective Technology to ensure the security and resilience of systems and assets are consistent with organizational policies, procedures, and agreements Detect The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Ensuring Anomalies and Events are detected, and their potential impact is understood Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities Maintaining Detection Processes to provide awareness of anomalous events Respond The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Ensuring Response Planning process are executed during and after an incident Managing Communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents Mitigation activities are performed to prevent expansion of an event and to resolve the incident The organization implements Improvements by incorporating lessons learned from current and previous detection / response activities Recover The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome Categories within this Function include: Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents Implementing Improvements based on lessons learned and reviews of existing strategies Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident.

Answer 453

Defense in depth

Answer 454

Identify any security gaps or weaknesses within an organization Enable security teams to assess controls Help security teams correct compliance issues Security audit: A review of an organization's security controls, policies, and procedures against a set of expectations

Answer 455

Physical controls

Answer 456

Existing risks that need to be addressed now or in the future Strategies for improving security posture A summary of the goals

Answer 457

event A security information and event management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools index and minimize the scope of logs a security professional should manually review and analyze.

Answer 458

Server Server logs record events related to websites, emails, and file shares. They include actions such as login requests, password and username requests, as well as the ongoing use of these services. A network log is a record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.

Answer 459

Metrics Metrics are key technical attributes including response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM dashboards can be customized to display relevant metrics.

Answer 460

customized SIEM tools must be configured and customized to meet each organization's unique security needs.

Answer 461

Hybrid They should select a hybrid solution. Hybrid solutions use a combination of both self- and cloud-hosted SIEM tools to leverage the benefits of the cloud while maintaining physical control over confidential data.

Answer 462

True SIEM tools provide dashboards that help cybersecurity professionals organize and focus their security efforts. This allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner.

Answer 463

cloud-native A cloud-native SIEM tool, such as Chronicle, is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.

Answer 464

Self-hosted Cloud-hosted Hybrid Hybrid SIEM What it is: A hybrid SIEM combines both on-premises (self-hosted) and cloud-hosted components. How it works: Some SIEM functionalities are managed on-premises (self-hosted), while others are handled through the cloud. For example, data collection and initial processing may occur on local servers, but data storage, advanced analytics, and threat detection might be offloaded to a cloud service. Benefits: Flexibility: Leverages both on-premises control and cloud scalability. Balance: Can reduce cloud dependency while still benefiting from cloud-based resources and storage. Use Case: Often preferred by organizations that need to keep certain data in-house (due to regulations) while utilizing the cloud for enhanced performance or analytics. 2. Self-hosted SIEM What it is: The SIEM solution is hosted entirely on the organization’s own infrastructure, such as on-premises servers or private data centers. How it works: The organization installs, configures, and maintains the SIEM software on its own hardware. Data collection, processing, analysis, and storage happen within the organization’s internal network. Benefits: Full Control: The organization has complete control over the infrastructure, data, and how the SIEM solution is configured. Customization: More options for tailoring the SIEM to specific needs. Compliance: Useful for industries with strict compliance requirements for data storage and security (e.g., healthcare, finance). Drawbacks: Resource Intensive: Requires significant IT resources to manage, scale, and maintain the SIEM. High Costs: Upfront hardware, software licensing, and ongoing maintenance costs can be high. 3. Cloud-hosted SIEM What it is: The SIEM solution is hosted and managed entirely in the cloud by a third-party provider. How it works: The organization’s security logs, events, and data are sent to the cloud provider’s infrastructure. All data analysis, threat detection, and reporting take place in the cloud environment. Benefits: Scalability: Can handle large volumes of data and scale up as needed without the need for additional on-premises infrastructure. Cost-effective: Reduces the need for on-premise hardware and the associated maintenance costs. Ease of Management: The vendor typically handles updates, maintenance, and scaling, reducing the IT burden on the organization. Drawbacks: Limited Control: Less control over the infrastructure and the ability to customize. Potential Security Concerns: Organizations must trust that the cloud provider has sufficient security measures in place. Data Sovereignty: Some organizations might have concerns about storing sensitive data in the cloud, especially if it crosses geographic boundaries. 4. Remote SIEM What it is: The term "remote SIEM" often refers to a SIEM solution managed remotely by a third-party service provider or an organization's IT team, typically used as a Managed SIEM or MSSP (Managed Security Service Provider). How it works: The SIEM solution may be self-hosted (on-premises) or cloud-hosted, but the management, monitoring, and analysis of security data are done remotely by the service provider or an off-site security team. Logs, alerts, and incidents are monitored remotely, with the provider or team handling incident response and reporting. Benefits: Outsourced Management: Allows an organization to focus on core operations while the SIEM is managed by experts remotely. 24/7 Monitoring: Many remote SIEM solutions offer round-the-clock monitoring and incident response. Cost-effective: Reduces the need for an in-house security team or infrastructure to manage the SIEM. Drawbacks: Less On-site Control: The organization must rely on a third-party to monitor and manage security incidents. Dependence on Vendor: If the provider is slow to respond, it can delay incident response and mitigation.

Answer 465

A log is a record of events that occur within an organization’s systems and networks. Events related to websites, emails, or file shares are recorded in a server log. A network log is a record of all computers and devices that enter and leave a network.

Answer 466

Save time Collect log data from different sources Provide event monitoring and analysis

Answer 467

metrics Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application

Answer 468

Self-hosted

Answer 469

log data SIEM tools: A software platform that collects, analyzes, and correlates security data from various sources across your IT infrastructure that helps identify and respond to security threats in real-time, investigate security incidents, and comply with security regulations

Answer 470

SIEM SIEM tools: A software platform that collects, analyzes, and correlates security data from various sources across your IT infrastructure that helps identify and respond to security threats in real-time, investigate security incidents, and comply with security regulations

Answer 471

Proprietary Proprietary technology involves an application, tool, or system that belongs exclusively to an enterprise. These are generally developed and used by the owner internally in order to produce and sell products or services to the end user or customer.

Answer 472

Playbooks ensure that people follow a consistent list of actions in a prescribed way. Playbooks clarify what tools should be used to respond to security incidents. Playbooks are manuals that provide details about any operational action.

Answer 473

Throughout the entire incident In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.

Answer 474

detection and analysis During the detection and analysis phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.

Answer 475

Post-incident activity In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents. Containment involves preventing further damage and reducing the immediate impact of a security incident.

Answer 476

They work together to provide a structured and efficient way of responding to security incidents.

Answer 477

Analyze log data and related metrics An action that a security analyst can take when they are assessing a SIEM alert is to analyze log data and related metrics. This helps in identifying why the alert was generated by the SIEM tool and determining if the alert is valid.

Answer 478

coordination Once a security incident is resolved, security analysts perform various post-incident activities and coordination efforts with the security team. Coordination involves reporting incidents and sharing information based on established standards.

Answer 479

Eradication and recovery This scenario describes eradication and recovery. This phase involves removing the incident's artifacts and restoring the affected environment to a secure state.

Answer 480

False Playbooks are living documents, so a security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities.

Answer 481

Update a playbook

Answer 482

Coordination Report incidents and share information throughout the response process, based on established standards.

Answer 483

Reduce the immediate impact Prevent further damage

Answer 484

post-incident activity Document the incident, inform organizational leadership, and apply lessons learned.

Answer 485

Preparation Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users.

Answer 486

After receiving a SIEM alert, security teams use playbooks to guide their response process. SIEM tools generate alerts. SIEM tools collect data.

Answer 487

A playbook improves accuracy when identifying and mitigating an incident. A playbook helps security teams respond to urgent situations quickly. Organizations use different types of playbooks for different situations.

Answer 488

documentation

Answer 489

security posture

Answer 490

Preparation Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users.

Answer 491

network A network is a group of connected devices. The devices on a network can communicate with each other over network cables or wireless connections.

Answer 492

A cloud network is a collection of servers or computers that stores resources and data in remote data centers that can be accessed via the internet.

Answer 493

Connects a router to the internet and enables LAN internet access.

Answer 494

A network security device that monitors traffic to or from your network.

Answer 495

A device that sends and receives data between devices on a network.

Answer 496

A network device that connects multiple networks together.

Answer 497

A network device that broadcasts information to every device on the network.

Answer 498

False To connect an entire city, the proper network type would be a WAN. A LAN is a network that spans a small area; a wide area network (WAN) spans a large geographical area.

Answer 499

Hub A hub is a network device that broadcasts information like a radio tower.

Answer 500

They only pass data to the intended destination. They can improve network performance. They control the flow of traffic. Some benefits of switches include the following: They control the flow of traffic, they can improve network performance, and they pass data to the intended destination.

Answer 501

cloud The practice of using servers, applications, and network services that are hosted on the internet is called cloud computing.

Answer 502

A data packet is a basic unit of information that travels from one device to another within a network.

Answer 503

The internet layer is the second layer of the TCP/IP model. The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other. Layer one: The network access layer deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables and switches that direct data to its destination. Layer two: The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other. For example, data packets containing information that determine whether they will stay on the LAN or will be sent to a remote network, like the internet. Layer three: The transport layer includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection. Activities of this layer include error control, which ensures data is flowing smoothly across the network. Layer four: Finally, at the application layer, protocols determine how the data packets will interact with receiving devices. Functions that are organized at application layer include file transfers and email services.

Answer 504

The sender’s IP address, the destination's MAC address, and the protocol to use

Answer 505

Both models illustrate network processes and protocols for data transmission between two or more systems. Both models include an application and a transport layer. Both models define standards for networking and divide the network communication process into different layers.

Answer 506

An internet communication convention The TCP is an internet communication convention, or protocol. It allows two devices to form a connection and stream data.

Answer 507

port A port is a software-based location that organizes the sending and receiving of data between devices on a network.

Answer 508

Application layer The application layer has protocols that organize file transfers and email services. It does this by determining how data packets will interact with receiving devices. The application layer is the fourth layer in the TCP/IP model.

Answer 509

192.168.1.23 192.168.1.23 is an example of an IPv4 address. IPv4 addresses have four, 1 to 3 digit numbers separated by decimal points.

Answer 510

Location An IP address is a unique string of characters that identifies the location of a device on the internet.

Answer 511

172.16.254.1 An example of an IPv4 address is 172.16.254.1. IPv4 addresses are written as four, 1-3-digit numbers separated by decimal points. Each one can contain the values 0-255.

Answer 512

Public IP address A public IP address is assigned by an internet service provider and shared by all devices on a local area network. It is connected to geographic location. All communications from devices in the same local area have the same public-facing address due to network address translation or a forwarding proxy.

Answer 513

Address Table A switch uses a MAC address table to direct data packets to the correct device.

Answer 514

A CSP provides business analytics to monitor web traffic and sales. CSP remote servers allow web applications to be accessed from any location. A CSP offers processing power that is only paid for as needed.

Answer 515

To signal to the receiving device that the packet is finished

Answer 516

Decreased cost Increased scalability

Answer 517

Layer 1, network access Layer one: The network access layer deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables and switches that direct data to its destination. Layer two: The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other. For example, data packets containing information that determine whether they will stay on the LAN or will be sent to a remote network, like the internet. Layer three: The transport layer includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection. Activities of this layer include error control, which ensures data is flowing smoothly across the network. Layer four: Finally, at the application layer, protocols determine how the data packets will interact with receiving devices. Functions that are organized at application layer include file transfers and email services.

Answer 518

Transmission Control Protocol (TCP) TCP is an internet communication protocol that allows two devices to form a connection and stream data.

Answer 519

Wi-Fi IEEE 802.11 is commonly known as Wi-Fi. It is a set of standards that define communication for wireless LANs.

Answer 520

Order of delivery Network protocols are rules used by two or more devices on a network to describe the order of delivery and the structure of data.

Answer 521

HTTPS Hypertext transfer protocol secure (HTTPS) provides a secure method of communication between clients and web servers. HTTPS uses digital certificates to perform authentication and can operate over TCP ports 443 and 80.

Answer 522

Secure sockets layer and transport layer security (SSL/TLS) To keep information safe from malicious actors, SSL/TLS can be used. It secures hypertext transfer protocol (HTTP) transactions, which is known as hypertext transfer protocol secure (HTTPS).

Answer 523

True IEEE 802.11, also known as Wi-Fi, is a set of standards that define communication for wireless LANs.

Answer 524

Stateless Stateless firewalls are a class of firewall that operates based on predefined rules and does not keep track of information from data packets. Stateful refers to a class of firewall that keeps track of information passing through it and proactively filters out threats. A next generation firewall, or NGFW, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some NGFWs connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.

Answer 525

Encapsulation A VPN service performs encapsulation to protect data in transit. Encapsulation protects data by wrapping it in other data packets.

Answer 526

reverse proxy server A reverse proxy server regulates and restricts the internet’s access to an internal server. A forward proxy server regulates and restricts a person with access to the internet. The goal is to hide a user's IP address and approve all outgoing requests. A reverse proxy server regulates and restricts the internet access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. An email proxy server is another valuable security tool. It filters spam email by verifying whether a sender's address was forged. This reduces the risk of phishing attacks that impersonate people known to the organization.

Answer 527

Internal network Restricted zone Demilitarized zone (DMZ) The controlled zone is a subnet that protects the internal network from the uncontrolled zone. There are several types of networks within the controlled zone. On the outer layer is the demilitarized zone, or DMZ, which contains public-facing services that can access the internet. This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network. The internal network contains private servers and data that the organization needs to protect. Inside the internal network is another zone called the restricted zone. The restricted zone protects highly confidential information that is only accessible to employees with certain privileges.

Answer 528

Firewall A firewall monitors and filters traffic coming in and out of a network. It either allows or denies traffic based on a defined set of security rules.

Answer 529

False Stateful is a class of firewall that keeps track of information passing through it and proactively filters out threats. Stateless operates based on predefined rules and does not keep track of information from data packets.

Answer 530

VPN service Encapsulation can be performed by a VPN service to help protect information by wrapping sensitive data in other data packets. VPNs change a public IP address and hide a virtual location to keep data private when using a public network.

Answer 531

Restricted zone The restricted zone protects highly confidential information that only people with certain privileges can access. It typically has a separate firewall.

Answer 532

reverse proxy server A security analyst uses a reverse proxy server to regulate and restrict access to an internal server from the internet. This tool works by accepting traffic from external parties, approving it, and forwarding it to internal servers.

Answer 533

Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to form a connection and stream data

Answer 534

IEEE 802.11

Answer 535

Stateful Stateful is a class of firewall that keeps track of information passing through it and proactively filters out threats. Stateless operates based on predefined rules and does not keep track of information from data packets.

Answer 536

next generation firewall (NGFW) A next generation firewall, or NGFW, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some NGFWs connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.

Answer 537

Virtual private network (VPN) A VPN, which stands for virtual private network, establishes a digital connection between your computer and a remote server owned by a VPN provider, creating a point-to-point tunnel that encrypts your personal data, masks your IP address, and lets you sidestep website blocks and firewalls on the internet.

Answer 538

encapsulation Encapsulation can be performed by a VPN service to help protect information by wrapping sensitive data in other data packets. VPNs change a public IP address and hide a virtual location to keep data private when using a public network.

Answer 539

Uncontrolled The uncontrolled zone is public domain, such as the internet. It cannot be controlled by an internal organization, and so this zone is deemed as untrusted because it can be considered as a major security risk due to the limited controls that can be put into place in this type of zone.

Answer 540

Demilitarized zone The demilitarized zone, or DMZ, which contains public-facing services that can access the internet. This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network.

Answer 541

Proxy server

Answer 542

They receive outgoing traffic from an employee, approve it, then forward it to its destination on the internet. They hide a user’s IP address and approve all outgoing requests. A forward proxy server regulates and restricts a person with access to the internet. The goal is to hide a user's IP address and approve all outgoing requests.

Answer 543

Packet flooding Malware Spoofing Spoofing, packet flooding, and malware are all common network attacks.

Answer 544

A ping of death attack is a type of DOS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB.

Answer 545

Distributed Denial of Service (DDoS) attack A DDoS attack uses multiple devices or servers in different locations to flood the target network with unwanted traffic.

Answer 546

SYN flood attack A SYN flood attack poses as a TCP connection and floods a server with packets simulating the first step of the TCP handshake. This overwhelms the server, making it unable to function.

Answer 547

Ping of Death The DoS attack Ping of Death is caused when a hacker sends a system an ICMP packet that is bigger than 64KB.

Answer 548

SYN flood attack ICMP flood attack ICMP flood and SYN flood attacks take advantage of communication protocols by sending an overwhelming number of requests to a server.

Answer 549

The body of a data packet may contain sensitive information such as credit card numbers, dates of birth, or personal messages. Malicious actors can use the information contained in the body of a data packet to their advantage.

Answer 550

Smurf attack On-path attack Replay attack A smurf attack is when an attacker sniffs an authorized user’s IP address and floods it with packets. An on-path attack is an attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. A replay attack is a network attack performed when an attacker intercepts a data packet in transit and delays it or repeats it at another time.

Answer 551

True Active packet sniffing is a type of attack that involves data packets being manipulated while in transit. This can include injecting internet protocols to redirect the packets to unintended ports or changing the information the packet contains. Passive packet sniffing is a type of attack where data packets are read in transit.

Answer 552

IP spoofing IP spoofing involves an attacker changing the source IP of a data packet to impersonate an authorized system and gain access to the network.

Answer 553

Using a VPN A security analyst can protect against malicious packet sniffing by using a VPN to encrypt data as it travels across a network. A VPN is a network security service that changes a public IP address and hides a virtual location to keep data private when using a public network.

Answer 554

A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with packets A smurf attack is a network attack performed when an attacker sniffs an authorized user’s IP address and floods it with packets. It is a combination of a DDoS attack and an IP spoofing attack.

Answer 555

The target crashes and normal business operations cannot continue. Denial of service (DoS) attack: An attack that targets a network or server and floods it with network traffic

Answer 556

In both DoS and DDoS attacks, if any part of the network is overloaded, the attacks are successful. A DoS attack may involve flooding a network with traffic. A DDoS attack is intended to overwhelm the target server.

Answer 557

The server has stopped responding after receiving an unusually high number of incoming SYN packets. Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP connection and floods a server with SYN packets

Answer 558

Active packet sniffing may enable attackers to redirect the packets to unintended ports. Using only websites with HTTPS at the beginning of their domain names provides protection from packet sniffing. The purpose of passive packet sniffing is to read data packets while in transit.

Answer 559

64KB Ping of death: A type of DoS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB

Answer 560

IP spoofing IP spoofing: A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network

Answer 561

On-path attack On-path attack: An attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit

Answer 562

Smurf attack Smurf attack: A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with ICMP packets

Answer 563

replay Replay attack: A network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time

Answer 564

Attack surface An attack surface is all the potential vulnerabilities a threat actor could potentially exploit in a system.

Answer 565

To prevent the whole network being compromised by one insecure OS It’s important to secure the OS on each device because one insecure OS could lead to the whole network being compromised.

Answer 566

Disposing of hardware and software properly Enforcing password policies Making patch updates Making patch updates, disposing of hardware and software properly, and enforcing password policies are security hardening tasks. Security hardening is the process of strengthening a system to reduce its vulnerability and attack surface.

Answer 567

operating system The operating system acts as an intermediary between software applications and computer hardware.

Answer 568

True MFA is a security measure that requires a user to verify their identity in at least two ways before they can access a system or network.

Answer 569

Installing security cameras Hiring security guards Physical security is also a part of security hardening and may include securing a physical space with security cameras and security guards.

Answer 570

Security Information and Event Management tool (SIEM) A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization.

Answer 571

Allow ports that are used by normal network operations. A basic principle of port filtering is to allow ports that are used by normal network operations. Any port that is not being used by the normal network operations should be disallowed to protect against vulnerabilities.

Answer 572

False Restricted zones on a network, which contain highly classified or confidential data, should have much higher encryption standards than data in other zones to make them more difficult to access.

Answer 573

Network segmentation This scenario describes network segmentation, which involves creating isolated subnets for different departments in an organization.

Answer 574

Host company data and applications Cloud networks can host company data and applications using cloud computing to provide on-demand storage, processing power, and data analytics.

Answer 575

Cloud service provider Security team Individual users

Answer 576

False Similar to OS hardening, data and applications on a cloud network should be kept separate depending on their service category. For example, older applications should be kept separate from new applications. And software that deals with internal functions should be kept separate from front-end applications seen by users.

Answer 577

unverified changes A key distinction between cloud and traditional network hardening is the use of a server baseline image, which enables security analysts to prevent unverified changes by comparing data in cloud servers to the baseline image.

Answer 578

Misconfigured cloud services are a common source of cloud security issues.

Answer 579

Upgrading an operating system to the latest software version. Fixing known security vulnerabilities in a network or services.

Answer 580

Penetration testing

Answer 581

OS hardening is a set of procedures that maintain and improve OS security. Some OS hardening tasks are performed at regular intervals, while others are performed only once. When disposing of software, it is a best practice to delete any unused applications.

Answer 582

Reduce the attack surface

Answer 583

Network segmentation

Answer 584

Checking baseline configuration

Answer 585

multifactor authentication (MFA)

Answer 586

A firewall function that blocks or allows certain port numbers in order to limit unwanted network traffic

Answer 587

They both require proper maintenance and security hardening.

Answer 588

Operating systems help humans and computers communicate with each other. Maintaining the security of an operating system is critical for the security of a computer. Operating systems allow users to run multiple applications at once. Operating systems help humans and computers communicate and allow users to run multiple applications at once. Maintaining the security of an operating system is also critical for the security of a computer.

Answer 589

The interface between the computer hardware and the user

Answer 590

Applications send requests to the operating system, and the operating system directs those requests to the hardware. The hardware also sends information back to the operating system, and the operating system sends it back to applications.

Answer 591

Computers run efficiently because of operating systems. Operating systems are able to run many applications at once. Operating systems help people interact with computers. Operating systems help people interact with computers, and computers run efficiently because of operating systems. Operating systems are able to run many applications at once.

Answer 592

Windows Linux Android Android, Linux, and Windows are operating systems. Operating systems are interfaces between computer hardware and the user.

Answer 593

True Computers communicate in a language called binary, which consists of 0s and 1s.

Answer 594

Help other computer programs run efficiently The job of a computer operating system is to help make other computer programs run efficiently. It does this by managing the details related to controlling computer hardware.

Answer 595

To ensure the limited capacity of the computer system is used where it is needed most. The OS handles resource and memory management to ensure the limited capacity of the computer system is used where it is needed most.

Answer 596

applications Users interact with applications in order to carry out tasks on a computer. Applications are programs that perform a specific task.

Answer 597

False The management of a computer’s resources and memory is handled by its operating system. The operating system ensures the limited capacity of the computer system is used where it’s needed most.

Answer 598

Step1: Either the BIOS or UEFI microchip is activated when a user turns on a computer. Step 2: The BIOS or UEFI microchip loads the bootloader. Step 3: The bootloader starts the operating system. Either the BIOS or UEFI microchip is activated when a user turns on a computer. The BIOS or UEFI microchip loads the bootloader, and the bootloader starts the operating system.

Answer 599

A CLI allows users to enter commands that can perform multiple tasks simultaneously. (CLI = Command Line Interface)

Answer 600

A user interface that enables people to manage tasks on a computer using icons. A GUI, or graphical user interface, is a user interface that enables people to manage tasks on a computer using icons. Most operating systems can be used with a GUI.

Answer 601

Start menu Task bar Desktop icons and shortcuts

Answer 602

CLI A security professional uses a CLI, or command-line interface, to interact with a computer using text-based instructions.

Answer 603

True A useful feature of a CLI is that it records a history file of commands and actions. This can help security analysts confirm that they used the correct commands from a playbook. It also might help them trace the actions of an attacker.

Answer 604

A program that starts an operating system Step1: Either the BIOS or UEFI microchip is activated when a user turns on a computer. Step 2: The BIOS or UEFI microchip loads the bootloader. Step 3: The bootloader starts the operating system. Either the BIOS or UEFI microchip is activated when a user turns on a computer. The BIOS or UEFI microchip loads the bootloader, and the bootloader starts the operating system.

Answer 605

Operating systems enable computers to run multiple applications at once. Operating systems help people and computers communicate.

Answer 606

Windows macOS®

Answer 607

components of the computers hardware

Answer 608

You would type in the number you wanted to calculate into the application. The application would send this request to the operating system. The hardware would determine the answer and send it back to the operating system. (The operating system will then send it back to the application)

Answer 609

Graphical Command line

Answer 610

A GUI is a user interface that uses icons. A CLI can complete multiple tasks efficiently. CLI commands execute tasks, such as opening a program.

Answer 611

Reviewing a history file in a CLI

Answer 612

Resources and memory

Answer 613

To use digital forensic tools to investigate what happened following an event To examine different types of logs to identify what is going on in a system To verify access and authorization in an identity and access management system Security analysts use Linux to verify access and authorization in an identity and access management system. They also use Linux to examine logs and to investigate what happened following an event.

Answer 614

It manages processes and memory. The kernel is a component of the Linux OS that manages processes and memory. The kernel communicates with the hardware to execute the commands sent by the shell. The kernel uses drivers to enable applications to execute tasks. The Linux kernel helps ensure that the system allocates resources more efficiently and makes the system work faster.

Answer 615

True As a security analyst, you might use Linux to review logs when investigating an issue. Another reason you might use Linux is to verify access and authorization.

Answer 616

Applications The kernel The shell Components of the Linux architecture include applications, the shell, and the kernel. The user, the Filesystem Hierarchy Standard (FHS), and hardware are also components of the Linux architecture.

Answer 617

organizes data The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data.

Answer 618

a monitor a printer Monitors and printers are peripheral devices. Peripheral devices are hardware components that are attached and controlled by the computer system. The CPU and RAM are internal hardware. Internal hardware are the components required to run the computer.

Answer 619

Their user interfaces Their pre-installed programs Their parent distributions The pre-installed programs, user interfaces, and parent distributions might differ from one Linux distribution to another.

Answer 620

It should be used on a virtual machine. It is derived from Debian. It contains many pre-installed tools that can be used for cybersecurity tasks. KALI LINUX ™ is a Debian-derived distribution, it contains many pre-installed tools for cybersecurity tasks, and it should be used on a virtual machine. It is an open-source distribution.

Answer 621

kernel Because the kernel is open source, anyone can modify it to build new Linux distributions. The kernel is the component of the Linux OS that manages processes and memory.

Answer 622

A Debian-derived, open-source distribution of Linux designed for security tasks KALI LINUX ™ is a Debian-derived, open-source distribution of Linux designed for security tasks, such as penetration testing and digital forensics.

Answer 623

Ubuntu Ubuntu is an open-source, user-friendly distribution derived from Debian that is widely used in security and other industries. Because of its wide use, Ubuntu has a large number of community resources to support users.

Answer 624

CentOS Parrot Red Hat KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security industry. This is because KALI LINUX ™, which is Debian-based, is pre-installed with many useful tools for penetration testing and digital forensics. A penetration test is a simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. Digital forensics is the practice of collecting and analyzing data to determine what has happened after an attack. These are key activities in the security industry. However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity. Ubuntu Ubuntu is an open-source, user-friendly distribution that is widely used in security and other industries. It has both a command-line interface (CLI) and a graphical user interface (GUI). Ubuntu is also Debian-derived and includes common applications by default. Users can also download many more applications from a package manager, including security-focused tools. Because of its wide use, Ubuntu has an especially large number of community resources to support users. Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers, cybersecurity work may more regularly involve Ubuntu derivatives. Parrot Parrot is an open-source distribution that is commonly used for security. Similar to KALI LINUX ™, Parrot comes with pre-installed tools related to penetration testing and digital forensics. Like both KALI LINUX ™ and Ubuntu, it is based on Debian. Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI that many find easy to navigate. This is in addition to Parrot’s CLI. Red Hat® Enterprise Linux® Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise use. Red Hat is not free, which is a major difference from the previously mentioned distributions. Because it’s built and supported for enterprise use, Red Hat also offers a dedicated support team for customers to call about issues. CentOS CentOS is an open-source distribution that is closely related to Red Hat. It uses source code published by Red Hat to provide a similar platform. However, CentOS does not offer the same enterprise support that Red Hat provides and is supported through the community.

Answer 625

It helps humans and computers communicate with each other. The shell helps humans and computers communicate with each other. It is the command-line interpreter and helps humans communicate with the operating system through the command line.

Answer 626

Standard output or standard error After a user types a command into the shell, the shell can return either standard output or standard error. Standard output is information returned by the OS through the shell. Standard error contains error messages returned by the OS through the shell.

Answer 627

The command-line interpreter It processes commands and outputs the results.

Answer 628

Output An error message After a user inputs a command into the shell, the shell can return output or an error message to the user. Output is the computer's response to the user's input. An error message occurs when the shell cannot interpret the input.

Answer 629

Error messages returned by the operating system through the shell Standard error contains error messages returned by the OS through the shell.

Answer 630

Standard input is sent to the operating system. Standard output is sent from the operating system.

Answer 631

The kernel The shell Components of the Linux architecture include applications, the shell, and the kernel. The user, the Filesystem Hierarchy Standard (FHS), and hardware are also COMPONENTS of the Linux architecture.

Answer 632

Its open-source design Linux is open-source. This means that modification of code, analysis of codes, redistribution of codes, or selling copies of the enhanced codes can be done by anyone in the world provided they come under the same license where the license also costs no charge.

Answer 633

KALI LINUX ™ (KALI LINUX ™ is a trademark of OffSec.) KALI LINUX ™ is a Debian-derived distribution, it contains many pre-installed tools for cybersecurity tasks, and it should be used on a virtual machine.

Answer 634

The different versions of Linux Distributions: The different versions of Linux

Answer 635

Parrot KALI LINUX ™ KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security industry. This is because KALI LINUX ™, which is Debian-based, is pre-installed with many useful tools for penetration testing and digital forensics. A penetration test is a simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. Digital forensics is the practice of collecting and analyzing data to determine what has happened after an attack. These are key activities in the security industry. However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity. Ubuntu Ubuntu is an open-source, user-friendly distribution that is widely used in security and other industries. It has both a command-line interface (CLI) and a graphical user interface (GUI). Ubuntu is also Debian-derived and includes common applications by default. Users can also download many more applications from a package manager, including security-focused tools. Because of its wide use, Ubuntu has an especially large number of community resources to support users. Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers, cybersecurity work may more regularly involve Ubuntu derivatives. Parrot Parrot is an open-source distribution that is commonly used for security. Similar to KALI LINUX ™, Parrot comes with pre-installed tools related to penetration testing and digital forensics. Like both KALI LINUX ™ and Ubuntu, it is based on Debian. Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI that many find easy to navigate. This is in addition to Parrot’s CLI. Red Hat® Enterprise Linux® Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise use. Red Hat is not free, which is a major difference from the previously mentioned distributions. Because it’s built and supported for enterprise use, Red Hat also offers a dedicated support team for customers to call about issues. CentOS CentOS is an open-source distribution that is closely related to Red Hat. It uses source code published by Red Hat to provide a similar platform. However, CentOS does not offer the same enterprise support that Red Hat provides and is supported through the community.

Answer 636

shell Shell: The command-line interpreter

Answer 637

Standard output Standard input Standard error The communication methods with the shell are standard output, standard error, and standard input.

Answer 638

CPU Hardware: The physical components of a computer

Answer 639

An error message

Answer 640

It displays the names of files and directories in the current working directory. Pwd = Shows path directory where you're currently working cd = Change directory

Answer 641

An instruction telling the computer to do something

Answer 642

An instruction that tells a computer to do something

Answer 643

pwd pwd = Prints the working directory on the screen cd = Change directory. ls= Prints name of files in the current directory cat= displays full content of files head = Prints top 10 of list tail = prints last 10 of list

Answer 644

grep error log.txt You can enter grep error log.txt. The grep command searches a specified file and returns all lines in the file containing a specified string. Its first argument is the string you are searching for. Its second argument is the file you are searching through.

Answer 645

touch You can use the touch command to create a new file. mkdir = Creates a new directory rmdir= Removes, or deletes, a directory rm= Removes, or deletes, a file touch= Creates a new file mv= Moves a file or directory to a new location cp= Copies a file or directory into a new location

Answer 646

The string to search for and the file to search through The grep command is commonly followed by the string to search for and the file to search through. It is used to search files for specified strings.

Answer 647

Copy the vulnerabilities.txt file into the projects directory They want the operating system to copy the vulnerabilities.txt file into the projects directory. The original version of the file or directory will also remain in its original location.

Answer 648

It sends the standard output of one command as standard input to another command for further processing. The piping command (|) sends the standard output of one command as standard input to another command for further processing.

Answer 649

chmod If you want to change the permissions on an approved_users.txt file, you can use chmod. The chmod command changes permissions on files and directories.

Answer 650

Create new files in that directory When working with a directory, write permissions allow users to create new files in that directory.

Answer 651

touch failed_logins.txt The command touch failed_logins.txt creates a new file called failed_logins.txt. The touch command is used to create a new file.

Answer 652

It temporarily grants elevated permissions to specific users. The sudo command temporarily grants elevated permissions to specific users. Elevated permissions are necessary to run certain commands such as useradd and userdel.

Answer 653

The group has read permissions. The user has write permissions. The 3rd character of the file permissions string -rw-rw-rw- indicates that the user has write permissions, and the 5th character of the file permissions string -rw-rw-rw- indicates that the group has read permissions.

Answer 654

The concept of granting access to specific resources in a system

Answer 655

Add write permissions to the group for the access.txt file The command chmod g+w access.txt tells the operating system to add write permissions to the group.

Answer 656

chown userdel useradd The useradd, userdel, and chown commands must typically be used with sudo. The useradd command adds a user to the system, userdel deletes a user from the system, and chown changes ownership of a file.

Answer 657

chmod g+x projects They enter chmod g+x projects. This command adds execute permissions for the group.

Answer 658

A global community of Linux users has formed. Because Linux is an open-source operating system, a global community of Linux users has formed. The global community is a huge resource for all Linux users because users can find answers for everyday tasks.

Answer 659

To display information on what other commands are and how they work You can use the man command to display information on what other commands are and how they work. For example, if you want information on the chown command and how it works, you can enter man chown.

Answer 660

Linux users can find support from the community for everyday tasks. The community is focused on collecting feedback from advanced users of Linux. The community publishes online information to help users learn how to operate Linux. Linux’s online global community enables users to find support for everyday tasks. Information is published online to help users learn how to operate Linux. In addition, because Linux is open-source, members of the community can easily contribute.

Answer 661

Display information on other commands and how they work The man command displays information on other commands and how they work. For more information about a specific command, enter this other command after man.

Answer 662

Display a description of a command on a single line The whatis command displays a description of a command on a single line. It is useful if you do not need the additional details found in the entire man page.

Answer 663

Users can search for a command even if they do not know the specific command name. Users can use apropos to search for a command even if they do not know the specific command name. The apropos command searches the manual page descriptions for a specified string.

Answer 664

/home/analyst/projects vulnerabilities.txt Argument (Linux): Specific information needed by a command

Answer 665

root directory Root directory: The highest-level directory in Linux

Answer 666

Searches a specified file and returns all lines in the file containing a specified string

Answer 667

Creates a new file

Answer 668

Read, write, and execute

Answer 669

Add write permissions to the user for the access.txt file Remove read permissions from the group for the access.txt file

Answer 670

Use the sudo command sudo: Temporarily grants elevated permissions to specific users; users must be in a sudoers file to use have access to sudo

Answer 671

apropos apropos Searches the manual page descriptions for a specified string

Answer 672

The owner does not have execute permissions for this directory

Answer 673

To find relevant information to support cybersecurity-related decisions

Answer 674

Relational databases contain tables that are related to each other through primary and foreign keys. A relational database is a structured database containing tables that are related to each other through primary and foreign keys.

Answer 675

Finding data to support security-related decisions and analysis Creating, interacting with, and requesting information from a database SQL is a programming language used to create, interact with, and request information from a database. SQL's filtering can be used to find data to support security-related decisions.

Answer 676

True A record of attempts to connect to an organization’s network is one example of a log. Logs are records of events that occur within an organization's systems.

Answer 677

query A request for data from a database table or a combination of tables is called a query.

Answer 678

All columns from the specified table SELECT * instructs SQL to return all columns from the specified table.

Answer 679

WHERE username LIKE 'a%'; WHERE username LIKE 'a%'; contains the correct syntax to return all records that contain a value in the username column that starts with the character 'a'. The LIKE operator is used with WHERE to search for a pattern in a column. The % wildcard substitutes for any number of other characters.

Answer 680

Selecting data that match a certain condition Filtering in SQL is selecting data that match a certain condition. Analysts use filters in SQL to return the data they need.

Answer 681

SELECT firstname, lastname, phone FROM employees;

Answer 682

SELECT * FROM log_in_attempts WHERE country = 'Canada';

Answer 683

'A%' The percentage sign (%) is a wildcard that substitutes for any number of other characters. The pattern 'A%' matches with any string that starts with the character 'A'.

Answer 684

WHERE event_id BETWEEN 5 AND 8; WHERE event_id BETWEEN 5 AND 8; returns all records that have a value of 5, 6, 7, or 8 in the event_id column. The BETWEEN operator filters for values within a range. The BETWEEN operator is placed before the first value to be included in the range. This is followed by the AND operator and the last value to be included in the range.

Answer 685

To find the ID numbers of all employees working in either the U.S. or Canada A security analyst might use the OR operator to find the ID numbers of all employees working in either the U.S. or Canada. The OR operator specifies that either condition can be met.

Answer 686

WHERE date BETWEEN '01-01-2015' AND '01-04-2015'; The filter WHERE date BETWEEN '01-01-2015' AND '01-04-2015'; outputs all records with values in the date column between '01-01-2015' and '01-04-2015'.

Answer 687

NOT NOT is most efficient at returning all records with a status other than 'successful'. The NOT operator negates a condition. In this case, it can be used in a filter of WHERE NOT status = 'successful';.

Answer 688

SELECT firstname, lastname, country FROM customers WHERE country = 'Brazil' or country = 'Argentina';

Answer 689

Information about customers who have a value of 'USA' in the country column and a value of 'NV' in the state column. The query returns information about customers who have a value of 'USA' in the country column and a value of 'NV' in the state column. The AND operator specifies that both conditions must be met simultaneously.

Answer 690

All rows in the log_in_attempts and employees tables that match on username All columns in the log_in_attempts and employees tables This query will return all rows in the log_in_attempts and employees tables that match on username and all columns in the log_in_attempts and employees tables. INNER JOIN returns rows matching on a specified column that exists in more than one table. It returns all columns that are indicated following the SELECT keyword. In this case, SELECT * indicates to return all columns.

Answer 691

Inner joins only return rows that match on a specified column, but outer joins also return rows that don't match on the specified column.

Answer 692

RIGHT JOIN LEFT JOIN LEFT JOIN and RIGHT JOIN return all rows from only one of the tables being joined. LEFT JOIN returns all the records of the first table, but only returns rows of the second table that match on a specified column. RIGHT JOIN returns all of the records of the second table, but only returns rows from the first table that match on a specified column. FULL OUTER JOIN returns all records from both tables.

Answer 693

SELECT * FROM employees INNER JOIN machines ON employees.employee_id = machines.employee_id; The following query has the correct syntax for the INNER JOIN: SELECT * FROM employees INNER JOIN machines ON employees.employee_id = machines.employee_id; It specifies the left table after FROM, then specifies the right table after INNER JOIN, and then uses the correct syntax after ON when indicating the column to join on.

Answer 694

LEFT JOIN LEFT JOIN returns all records from the employees table, but only records that match on employee_id from the machines table. Because it is located after FROM, the employees table is the left table.

Answer 695

SELECT customerid, trackid FROM invoices INNER JOIN invoice_items ON invoices.invoiceid = invoice_items.invoiceid;

Answer 696

The analyst can efficiently find the login data they need.

Answer 697

Each row must have a unique value. They cannot be null (or empty).

Answer 698

SELECT employee_id, device_id FROM employees WHERE employee_id > 1100; SELECT * FROM employees;

Answer 699

INNER JOIN INNER JOIN Returns records matching on a specified column that exists in more than one table; the column used to join the tables is specified following INNER JOIN with syntax that includes ON and equal to (=) LEFT JOIN Returns all the records of the first table, but only returns records of the second table that match on a specified column; the first (or left) table appears directly after the keyword FROM; the column used to join the tables is specified following LEFT JOIN with syntax that includes ON and equal to (=) RIGHT JOIN Returns all of the records of the second table, but only returns records from the first table that match on a specified column; the second (or right) table appears directly after the RIGHT JOIN keyword; the column used to join the tables is specified following RIGHT JOIN with syntax that includes ON and equal to (=) FULL OUTER JOIN Returns all records from both tables; the column used to join the tables is specified following FULL OUTER JOIN with syntax that includes ON and equal to (=)

Answer 700

To only return rows that match the filter

Answer 701

WHERE name LIKE ‘Dr.%’;

Answer 702

All columns of the employees and machines tables, all records from the machines table, and the records from employees that match on device_id

Answer 703

SELECT lastname, title FROM employees;

Answer 704

SELECT firstname,lastname,hiredate FROM employees WHERE hiredate >= '2003-10-17';

Answer 705

Assets Vulnerabilities Threats Security risk planning involves the analysis of three elements: assets, threats, and vulnerabilities. An asset is an item perceived as having value to an organization, such as a cash register and the money inside it.

Answer 706

Restricted assets are often highly sensitive and considered need-to-know.

Answer 707

Anything that can impact the confidentiality, integrity, or availability of an asset

Answer 708

Threat The rogue device is a threat because it is negatively impacting the company's assets.

Answer 709

Confidential This data is confidential. Confidential assets such as this customer survey data can only be accessed by those working on a specific project.

Answer 710

Asset classification Asset classification is the practice of labeling assets based on sensitivity and importance to an organization.

Answer 711

False Security teams are responsible for protecting data in all states: in use, in transit, and at rest.

Answer 712

Information security Information security, or InfoSec, is the practice of keeping data in all states away from unauthorized users.

Answer 713

At rest The files are at rest. Data is at rest when it is not being accessed. Data in transit refers to information that is digitally moving from one place to another, such as over a network.

Answer 714

A sent email is traveling over the network to reach its destination. An email traveling over a network to its destination is an example of data in transit.

Answer 715

accessed Data is in use when it is being accessed by one or more users.

Answer 716

Policies Standards Procedures Security plans include three basic elements: policies, standards, and procedures. Policies are a set of rules that reduce risk and protect information. Standards are references that inform how to set policies. Procedures are step-by-step instructions for performing a security task.

Answer 717

Respond Recover Protect The five NIST Cybersecurity Framework (CSF) core functions are identify, protect, detect, respond, and recover. The core is a simplified version of the functions or duties of a security plan. Think of these functions as a checklist for reducing security risk.

Answer 718

Security plans address risks such as damage to assets, loss of information, and disclosure of data.

Answer 719

Procedures Standards Policies The basic elements of a security plan are policies, standards, and procedures. Policies are rules that reduce risk and protect information. Standards are references that inform how to set policies. And procedures are step-by-step instructions to perform a specific security task.

Answer 720

voluntary The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a comprehensive framework with a flexible design that can be used in any industry.

Answer 721

It helps organizations achieve regulatory standards. It’s adaptable to fit the needs of any business. It can be used to identify and assess risk. Some benefits of the CSF are that it's adaptable to fit the needs of any business, it helps organizations achieve regulatory standards, and it can be used to identify and assess risk.

Answer 722

Threat Threat: Any circumstance or event that can negatively impact assets

Answer 723

An employee misconfiguring a firewall A malfunctioning door lock Vulnerability: A weakness that can be exploited by a threat

Answer 724

It helps identify risks. It uncovers gaps in security.

Answer 725

Project managers Teammates

Answer 726

It is highly sensitive. It is considered need-to-know.

Answer 727

Most information is in the form of data. Technologies are interconnected

Answer 728

A file being downloaded from a website An email being sent to a colleague

Answer 729

Establish a shared set of standards for protecting assets. Outline clear procedures that describe how to protect assets and react to threats. Define consistent policies that address what’s being protected and why.

Answer 730

Core Tiers Profiles Core The CSF core is a set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of five functions, or parts: Identify, Protect, Detect, Respond, and Recover. These functions are commonly used as an informative reference to help organizations identify their most important assets and protect those assets with appropriate safeguards. The CSF core is also used to understand ways to detect attacks and develop response and recovery plans should an attack happen. Tiers The CSF tiers are a way of measuring the sophistication of an organization's cybersecurity program. CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of security controls have been implemented. Overall, CSF tiers are used to assess an organization's security posture and identify areas for improvement. Profiles The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Answer 731

Tiers Core The CSF core is a set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of five functions, or parts: Identify, Protect, Detect, Respond, and Recover. These functions are commonly used as an informative reference to help organizations identify their most important assets and protect those assets with appropriate safeguards. The CSF core is also used to understand ways to detect attacks and develop response and recovery plans should an attack happen. Tiers The CSF tiers are a way of measuring the sophistication of an organization's cybersecurity program. CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of security controls have been implemented. Overall, CSF tiers are used to assess an organization's security posture and identify areas for improvement. Profiles The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Answer 732

Operational Managerial Technical The three types of security controls are technical, operational, and managerial. Each type of security control plays a key role in effective information privacy.

Answer 733

Software developers who are knowledgeable about the product The software they are reviewing The writer should have access to the software they are reviewing and the software developers who can help them understand what information is appropriate to share with readers.

Answer 734

GDPR, PCI DSS, and HIPAA are notable privacy regulations that influence how organizations approach their information security.

Answer 735

Cryptography Cryptography is the process of transforming information into a form that unintended readers cannot understand. In cryptography, a cipher is used to hide, or encrypt, information.

Answer 736

The establishment of trust using digital certificates The PKI process involves the exchange of encrypted information and the establishment of trust using digital certificates. In PKI, data can be encrypted using asymmetric encryption, symmetric encryption, or both. Then, a digital certificate binds the data's public key to the verified identity of a website, individual, organization, device, or server.

Answer 737

integrity Hash values are primarily used as a way to determine the integrity of files and applications. Hashes also keep information confidential because they can't be decrypted.

Answer 738

Key Cipher A cipher and a key are required when using encryption. This enables secure information exchange.

Answer 739

Digital certificates Encryption algorithms PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signalling trust between the sender and receiver when exchanging encrypted data online.

Answer 740

Asymmetric Asymmetric encryption produces a public and private key pair that are used to encrypt and decrypt information. The public key is shared with others while the data owner manages the private key.

Answer 741

No. Hash algorithms do not produce decryption keys. The attacker cannot decrypt the user passwords because they are stored as a hash value that is irreversible. Only symmetric and asymmetric encryption algorithms produce decryption keys.

Answer 742

Non-repudiation Non-repudiation means that the authenticity of information cannot be denied. It also confirms that the sender of data is who they claim to be.

Answer 743

Ownership Knowledge Characteristic The three factors of authentication are: characteristic, ownership, and knowledge. Knowledge is used to verify a user's identity using something the user knows, like a password.

Answer 744

Separation of duties Authorization controls are linked to the separation of duties and the principle of least privilege. Separation of duties is the principle that users should not be given levels of authorization that would allow them to misuse a system.

Answer 745

Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.

Answer 746

By simplifying their user management By providing a better user experience Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.

Answer 747

Separation of duties The retail company is implementing the separation of duties principle. Separation of duties is the security principle that users should not be given levels of authorization that would allow them to misuse a system.

Answer 748

Authentication Authorization Accounting The three categories of access controls are authentication, authorization, and accounting.

Answer 749

An application programming interface (API) token OAuth uses an API token to authenticate users. An API token is a digital credential that is shared between a platform and a service provider to verify a user's identity.

Answer 750

Providing security awareness training Responding to an incident alert

Answer 751

The IP address of the computer used to log in The time the user signed in and out

Answer 752

A single secret key

Answer 753

They are more difficult to brute force

Answer 754

Digital certificates Symmetric encryption Asymmetric encryption In a Public Key Infrastructure (PKI), the main security controls applied are Digital Certificates, Asymmetric Encryption, and Symmetric Encryption. A Digital Certificate is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents. Asymmetric encryption, also known as public-key cryptography, uses two mathematically related, but not identical, keys - a public key and a private key. It is an essential aspect of conventional PKI as it provides the secret communication and secures private key information. Symmetric encryption is a type of encryption where the same key is used for encryption and decryption. It is used in PKI to encrypt the data that is being transmitted over the network. Multi-factor authentication, while a crucial security measure, is not typically considered a part of PKI. It is a method of establishing access to an online account or computer system that requires more than one form of identification.

Answer 755

Username Password

Answer 756

Stolen credentials can give attackers access to multiple resources.

Answer 757

Separation of duties Least privilege Separation of duties, also known as segregation of duties, is the concept of having more than one person required to complete a task. Least privilege: The principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task.

Answer 758

A user’s identity A user's site permissions

Answer 759

Accounting While accounting deals with the tracking and recording of financial transactions, auditing fulfils the role of verifying the accuracy of the accounts.

Answer 760

Consider potential exploits Prepare defenses against threats Identify vulnerabilities Vulnerability management is a four-step process that includes the following steps: identify vulnerabilities, consider potential exploits, prepare defenses against threats, and evaluate those defenses.

Answer 761

Defense in depth Defense in depth is a layered approach to vulnerability management that reduces risk. It's a security approach that protects assets by surrounding them with multiple layers of protection.

Answer 762

Vulnerabilities must be recognized as a potential security risk. Vulnerabilities must be submitted with supporting evidence. Vulnerabilities must only affect one codebase. Vulnerabilities must be submitted with supporting evidence. Vulnerabilities must only affect a single codebase, be submitted with supporting evidence, and be recognized as potential security risks to qualify for a CVE® ID. They must also be independent of other issues.

Answer 763

Identify vulnerabilities Prepare defenses against threats Vulnerability management is a four step process. The first step is to identify vulnerabilities. The next step is to consider potential exploits of those vulnerabilities. Third is to prepare defenses against threats. And finally, the fourth step is to evaluate those defenses.

Answer 764

Perimeter The first layer of defense in depth is the perimeter layer. This layer includes some technologies that we've already explored, like usernames and passwords. Mainly, this is a user authentication layer that filters external access. Its function is to only allow access to trusted partners to reach the next layer of defense. Second, the network layer is more closely aligned with authorization. The network layer is made up of other technologies like network firewalls and others. Next, is the endpoint layer. Endpoints refer to the devices that have access on a network. They could be devices like a laptop, desktop, or a server. Some examples of technologies that protect these devices are anti-virus software. After that, we get to the application layer. This includes all the interfaces that are used to interact with technology. At this layer, security measures are programmed as part of an application. One common example is multi-factor authentication. You may be familiar with having to enter both your password and a code sent by SMS. This is part of the application layer of defense. And finally, the fifth layer of defense is the data layer. At this layer, we've arrived at the critical data that must be protected, like personally identifiable information. One security control that is important here in this final layer of defense is asset classification.

Answer 765

A zero-day A zero-day refers to an exploit that was previously unknown.

Answer 766

It must be independently fixable. The submission must have supporting evidence. Criteria that must be met are that vulnerabilities should be independently fixable and must have supporting evidence.

Answer 767

Identification Risk assessment Remediation A vulnerability assessment may include identification, risk assessment, and remediation. It may also include vulnerability analysis. During remediation, the vulnerabilities that were identified and analyzed are addressed.

Answer 768

assessment A vulnerability assessment is an internal review process of an organization's security systems.

Answer 769

To identify existing weaknesses To reduce overall threat exposure The goals of a vulnerability assessment are to identify existing weaknesses and reduce overall threat exposure.

Answer 770

Installing software updates and patches Training employees to follow new security procedures Examples of remediations that might be performed after a vulnerability scan include training employees on new procedures and installing software updates and patches.

Answer 771

Authenticated or unauthenticated Limited or comprehensive Authenticated or unauthenticated and limited or comprehensive are two types of vulnerability scans. Internal and external is another common type of vulnerability scanning.

Answer 772

The organization's website The organization's website is an example of its digital attack surface. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit. The digital attack surface consists of everything that's connected to an organization's network.

Answer 773

The organization's website The organization's website is an example of its digital attack surface. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit. The digital attack surface consists of everything that's connected to an organization's network.

Answer 774

The organization's website The organization's website is an example of its digital attack surface. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit. The digital attack surface consists of everything that's connected to an organization's network.

Answer 775

Attack vectors Attack vectors refer to the pathways attackers use to penetrate security defenses. Threat actors use attack vectors to exploit vulnerabilities and exposures.

Answer 776

An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited. Attack vectors are the pathways threat actors use to penetrate security defenses. Attack surfaces are all the potential vulnerabilities that a threat actor could exploit.

Answer 777

Keeping systems patched and updated Hashing all user passwords Disabling unused network ports Disabling unused network ports, hashing all user passwords, and keeping systems patched and updated are examples of security hardening.

Answer 778

Identify a target Evaluate a target’s attack vectors Determine how a target can be accessed Identifying a target, determining how they can be accessed, and evaluating their attack vectors are steps that are applied when using an attacker mindset.

Answer 779

By educating users so they can participate in preventing attacks By controlling access and authorization to assets By implementing security controls that protect information Business can reduce the number of attack vectors they have by controlling access and authorization to assets, implementing security controls that protect information, and educating users so they can participate in preventing attacks.

Answer 780

Determine how the target can be accessed.

Answer 781

Identify ways to fix existing vulnerabilities.

Answer 782

Vulnerability management is a way to limit security risks. Vulnerability management should consider various perspectives.

Answer 783

A vulnerability

Answer 784

It must be submitted with supporting evidence. It must be independent of other issues. It can only affect one codebase. It must be recognized as a potential security risk.

Answer 785

Perform a risk assessment of the old operating system. The first step is identification. Here, scanning tools and manual testing are used to find vulnerabilities. During the identification step, the goal is to understand the current state of a security system, like taking a picture of it. A large number of findings usually appear after identification. The next step of the process is vulnerability analysis. During this step, each of the vulnerabilities that were identified are tested. By being a digital detective, the goal of vulnerability analysis is to find the source of the problem. The third step of the process is risk assessment. During this step of the process, a score is assigned to each vulnerability. This score is assigned based on two factors: how severe the impact would be if the vulnerability were to be exploited and the likelihood of this happening. Vulnerabilities uncovered during the first two steps of this process often outnumber the people available to fix them. Risk assessments are a way of prioritizing resources to handle the vulnerabilities that need to be addressed based on their score. The fourth and final step of vulnerability assessment is remediation. It's during this step that the vulnerabilities that can impact the organization are addressed. Remediation occurs depending on the severity score assigned during the risk assessment step.

Answer 786

Digital Physical Physical attack surfaces comprise all endpoint devices, such as desktop systems, laptops, mobile devices, hard drives and USB ports. Digital attack surfaces encompass applications, code, ports, servers and websites, as well as unauthorized system access points.

Answer 787

Use persuasion tactics Disconnect from the target Establish trust The stages of a social engineering attack may be to establish trust, use persuasion tactics, and disconnect from the target. An attack may also include preparing information about the target. To establish trust, attackers use the information they gathered earlier to open a line of communication.

Answer 788

Smishing Vishing Smishing and vishing are types of phishing. Smishing is a type of phishing that uses text messages to deceive users into sharing sensitive information.

Answer 789

Phishing Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

Answer 790

Vishing Vishing refers to the use of electronic voice communications to obtain sensitive information or impersonate a known source.

Answer 791

disconnect from the target The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and disconnect from the target. Attackers typically break communications with their target after collecting the information they want. They do this to cover their tracks if they decide to target others in an organization.

Answer 792

Fraudulent web links Fake data-collection forms Malicious attachments Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.

Answer 793

Ransomware Ransomware is a type of malicious attack where attackers encrypt an organization's data and demand payment to restore access.

Answer 794

Using malware blocking browser extensions Some actions that can be taken to protect against cryptojacking include using malware blocking browser extensions and setting up monitoring processes for increased CPU usage.

Answer 795

Spyware Viruses Viruses and spyware are a type of malware. A virus is designed to interfere with a computer's operation and cause damage to data and software. Spyware collects information from users without their consent.

Answer 796

Worms Worms are malware that automatically duplicate and spread themselves across systems.

Answer 797

Cryptojacking Cryptojacking is a cybercrime that is used to mine cryptocurrencies.

Answer 798

Slowdowns in performance Increased CPU usage Unusual system crashes Common signs of a malware infection include increased CPU usage, slowdowns in performance, and unusual system crashes.

Answer 799

DOM-based Stored Reflected Types of XSS attacks are: reflected, stored, and DOM-based. A DOM-based XSS attack is an instance when a malicious script exists in the webpage a browser loads.

Answer 800

SQL injection A SQL injection is an attack that executes unexpected queries on a database. The injections take place in areas of the website that are designed to accept user input.

Answer 801

Web-based exploits Web-based exploits are malicious code or behaviors that are used to take advantage of coding flaws in a web application.

Answer 802

HTML JavaScript XSS attacks are delivered by exploiting the two languages used by most websites, HTML and JavaScript.

Answer 803

prepared statement A prepared statement is a coding technique that executes SQL statements before passing them onto the database. Prepared statements are used to defend against SQL injection attacks by validating code before performing a query.

Answer 804

When using the login form to access a site When a user enters their credentials Two examples of when SQL injections can take place are when using the login form to access a site and when a user enters their credentials. SQL injection can take place in areas of the website that are designed to accept user input.

Answer 805

Sensitive information Administrative rights In a SQL injection attack, malicious hackers attempt to obtain sensitive information and gain administrative rights. Malicious hackers target attack vectors to obtain sensitive information, modify tables, and even gain administrative rights to the database.

Answer 806

Identify threats Evaluate findings There are six steps of the threat modeling process: define the scope, identify threats, characterize the environment, analyze threats, mitigate risks, and evaluate findings.

Answer 807

threat modeling PASTA is a popular threat modeling framework that’s used across many industries. Threat modeling is the process of identifying assets, their vulnerabilities, and how each is exposed to threats.

Answer 808

anticipate Threat modeling is a process security teams use to anticipate attacks by examining organizational assets from a security-related perspective.

Answer 809

Characterize the environment. Identify threats. Mitigate risks. Identify threats, characterize the environment, and mitigate risks are some steps of a typical threat modeling process. Mitigating risks is the fifth step of the process when security teams decide whether to avoid, transfer, reduce, or accept risks that were identified.

Answer 810

An attack tree The type of diagram the team created is an attack tree. An attack tree is a diagram that maps threats to assets.

Answer 811

PASTA Trike PASTA and Trike are threat modeling frameworks. Like other threat modeling frameworks, they can be used to proactively reduce risks to a system or business process.

Answer 812

Document potential risks. Prepare fixes. Improve security plans. The objectives of PASTA or any other threat modeling activity is to document potential risks, prepare fixes, and improve security plans. Threat modeling captures the current state of a security plan and highlights how it can be improved.

Answer 813

An email urgently asking you to send money to help a friend who is stuck in a foreign country An unfamiliar employee asking you to hold the door open to a restricted area A pop-up advertisement promising a large cash reward in return for sensitive information Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Answer 814

Smishing Smishing: The use of text messages to trick users to obtain sensitive information or to impersonate a known source

Answer 815

Cross-site scripting SQL injection Malware: Software designed to harm devices or networks Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable website or web application SQL injection: An attack that executes unexpected queries on a database

Answer 816

Ransomware Ransomware: Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Answer 817

Sudden system crashes Unusually high electricity costs Increased CPU usage Cryptojacking: A form of malware that installs software to illegally mine cryptocurrencies

Answer 818

DOM-based DOM-based XSS attack is an instance when a malicious script exists in the webpage a browser loads. Stored XSS attack: An instance when malicious script is injected directly on the server Reflected XSS attack: An instance when malicious script is sent to a server and activated during the server’s response

Answer 819

To gain administrative rights to a database To delete entire tables in a database To steal the access credentials of users in a database

Answer 820

Help prioritize threats Reduce an attack surface Identify points of failure

Answer 821

Define the technical scope

Answer 822

Containment, Eradication, and Recovery Detection and Analysis Post-Incident Activity The three other phases of the NIST Incident Response Lifecycle are: Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.

Answer 823

Cyclical The NIST Incident Response Lifecycle is a cyclical process. This means that phases in the lifecycle can be revisited or repeated as incident investigations progress.

Answer 824

event An event is an observable occurrence on a network, system, or device.

Answer 825

Where the incident took place When the incident took place Who triggered the incident The other W's are: who triggered the incident, when the incident took place, and where the incident took place.

Answer 826

To provide services and resources for response and recovery To prevent future incidents from occurring To manage incidents The goals of CSIRTs are to effectively and efficiently manage incidents, prevent future incidents from occurring, and provide services and resources for response and recovery.

Answer 827

An incident response plan An incident response plan outlines the procedures to follow after an organization experiences a ransomware attack.

Answer 828

security analysts Security analysts investigate security alerts and determine whether an incident has occurred.

Answer 829

Incident coordinator An incident coordinator is responsible for tracking and managing the activities of all teams involved in the response process.

Answer 830

Documentation Documentation is any form of recorded content that is used for a specific purpose.

Answer 831

Collect and analyze system information for abnormal activity Monitor system and network activity Alert on possible intrusions An IDS is an application that can monitor system and network activity, and provide alerts on possible intrusions. An IDS also collects and analyzes system information for abnormal or unusual activity.

Answer 832

Final reports Policies Playbooks Playbooks, final reports, and policies are examples of different types of documentation.

Answer 833

Jira Ticketing systems such as Jira can be used to document and track incidents.

Answer 834

Intrusion detection system An intrusion detection system (IDS) is an application that monitors system activity, then produces alerts about possible intrusions.

Answer 835

Monitor activity Stop intrusive activity Detect abnormal activity An IPS monitors, detects, and stops abnormal or intrusive activity.

Answer 836

Collect and aggregate data, normalize data, and analyze data First, SIEM tools collect and aggregate data. This data is typically in the form of logs, which are basically a record of all the events that happened on a given source. Data can come from multiple sources such as IDS or IPS, databases, firewalls, applications, and more. After all this data gets collected, it gets aggregated. Aggregation simply means all this data from different data sources gets centralized in one place. Depending on the number of data sources a SIEM collects from, a huge volume of raw unedited data can get collected. And not all data that's collected by a SIEM is relevant for security analysis purposes. Next, SIEM tools normalize data. Normalization takes the raw data that the SIEM has collected and cleans it up by removing non essential attributes so that only what's relevant is included. Data normalization also creates consistency in log records, which is helpful when you're searching for specific log information during incident investigation. Finally, the normalized data gets analyzed according to configured rules. SIEM analyzes the normalized data against a rule set to detect any possible security incidents, which then get categorized or reported as alerts for security analysts to review.

Answer 837

Security information and event management (SIEM) tool SIEM tools collect and analyze log data to monitor critical activities in an organization.

Answer 838

respond to SOAR is a collection of applications, tools, and workflows that uses automation to respond to security events.

Answer 839

Normalize data During the normalize data step in the SIEM process, raw data is transformed to create consistent log records. The normalization process involves cleaning the data and removing non-essential attributes. The first step in the SIEM process is data collection and aggregation. First, a SIEM collects data from multiple different sources and then aggregates the data.

Answer 840

Aggregation Aggregation is the process of gathering data from different sources and putting it in one centralized place.

Answer 841

Clear Consistent Accurate

Answer 842

Analyzing events

Answer 843

An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.

Answer 844

System information Incident response procedures

Answer 845

Security analyst Incident coordinator Technical lead Security analyst The job of the security analyst is to continuously monitor an environment for any security threats. This includes: Analyzing and triaging alerts Performing root-cause investigations Escalating or resolving alerts If a critical threat is identified, then analysts escalate it to the appropriate team lead, such as the technical lead. Technical lead The job of the technical lead is to manage all of the technical aspects of the incident response process, such as applying software patches or updates. They do this by first determining the root cause of the incident. Then, they create and implement the strategies for containing, eradicating, and recovering from the incident. Technical leads often collaborate with other teams to ensure their incident response priorities align with business priorities, such as reducing disruptions for customers or returning to normal operations. Incident coordinator Responding to an incident also requires cross-collaboration with nonsecurity professionals. CSIRTs will often consult with and leverage the expertise of members from external departments. The job of the incident coordinator is to coordinate with the relevant departments during a security incident. By doing so, the lines of communication are open and clear, and all personnel are made aware of the incident status. Incident coordinators can also be found in other teams, like the SOC.

Answer 846

Respond Detect

Answer 847

A framework that provides a blueprint for effective incident response

Answer 848

Multiple unauthorized transfers of sensitive documents to an external system.

Answer 849

SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.

Answer 850

data normalization During the normalize data step in the SIEM process, raw data is transformed to create consistent log records. The normalization process involves cleaning the data and removing non-essential attributes. The first step in the SIEM process is data collection and aggregation. First, a SIEM collects data from multiple different sources and then aggregates the data.

Answer 851

They provide a way to identify an attack. IoCs help security analysts detect network traffic abnormalities by providing a way to identify an attack. IoCs provide analysts with specific evidence associated with an attack, such as a known malicious IP address, which can help quickly identify and respond to a potential security incident.

Answer 852

exfiltration Data exfiltration is the unauthorized transmission of data from a system.

Answer 853

Lateral movement This scenario describes lateral movement. Lateral movement, also called pivoting, describes an attacker exploring a network with the goal of expanding and maintaining their access.

Answer 854

To identify malicious activity To understand network traffic patterns To monitor network activity Network traffic analysis provides security professionals with a way to monitor network activity, identify malicious activity, and understand network traffic patterns.

Answer 855

Payload Footer Header A packet contains a header, payload, and footer. The header includes information like the type of protocol and port being used. The payload is the actual data being delivered. The footer signifies the end of the packet.

Answer 856

Internet Layer The Internet Layer accepts and delivers packets for the network.

Answer 857

Payload The payload is the component of a packet that contains the actual data that is intended to be sent to its destination, such as the body of an email.

Answer 858

packet capture A packet capture is a file that contains data packets that have been intercepted from an interface or a network. A network protocol analyzer, also known as a packet sniffer, is a tool designed to capture and analyze data traffic within a network.

Answer 859

sudo tcpdump -c3 -i any -v

Answer 860

Version The Version field of an IP header identifies whether IPv4 or IPv6 is used.

Answer 861

Wireshark Wireshark is a network protocol analyzer that is accessed through a graphical user interface.

Answer 862

The network interface to monitor

Answer 863

Verbose information

Answer 864

sudo tcpdump -D

Answer 865

-i The -i option is used to specify the network interface; -i stands for interface.

Answer 866

Command-line interface tcpdump is a network protocol analyzer that is accessed through a command-line interface (CLI).

Answer 867

Timestamp The first field found in the output of a tcpdump command is the packet’s timestamp.

Answer 868

-w You should use the -w option. The -w option lets you save the network packets to a packet capture file for later analysis.

Answer 869

Network traffic The amount of data that moves across a network

Answer 870

Monitor network activity Deploy multi-factor authentication Data exfiltration: Unauthorized transmission of data from a system

Answer 871

Protocols Ports IP addresses

Answer 872

packet capture Packet capture (p-cap): A file containing data packets intercepted from an interface or network

Answer 873

Graphical user interface Command-line interface

Answer 874

IPv4 The Internet protocol suite is therefore often referred to as TCP/IP. The first major version of IP, Internet Protocol version 4 (IPv4), is the dominant protocol of the Internet.

Answer 875

Checksum A checksum is a value that represents the number of bits in a transmission message and is used by IT professionals to detect high-level errors within data transmissions.

Answer 876

Fragmentation IP fragmentation occurs when IP datagrams are broken apart into small packets, then transmitted across a network, and finally reassembled into the original datagram as part of normal communications. This process is necessary to meet size limits that each network can handle.

Answer 877

sudo tcpdump -i any -v

Answer 878

198.168.105.1

Answer 879

Investigate security alerts Validate security alerts Security analysts investigate and validate security alerts during the Detection and Analysis phase of the NIST Incident Response Lifecycle.

Answer 880

Yes Detection tools have limitations in their detection capabilities. Detection tools are an important part of incident detection and response, but they cannot detect everything. Additional methods of detection can be used to improve coverage and accuracy.

Answer 881

To reduce false positive alerts To improve the accuracy of detection technologies Security analysts refine alert rules to improve the accuracy of detection technologies and reduce false positive alerts. Rules are adjusted to match the activity intended to be detected.

Answer 882

Analysis Analysis involves the investigation and validation of alerts.

Answer 883

Misconfigured alert settings Broad detection rules Misconfigured alert settings and broad detection rules are some causes of high alert volumes.

Answer 884

Transparency Clarity Standardization The benefits of documentation are transparency, standardization, and clarity. Documentation is any form of recorded content that is used for a specific purpose. Clarity provides team members with a clear understanding of their roles, duties, and how to complete a process.

Answer 885

Recovery Containment Eradication The third phase of the NIST Incident Response Lifecycle includes the steps Containment, Eradication, and Recovery. Recovery returns systems affected by an incident back to their normal operations.

Answer 886

Receive and assess This scenario describes receive and assess, the first step of the triage process. In this step, the security analyst receives an alert and determines whether the alert is valid.

Answer 887

The prioritizing of incidents according to their level of importance or urgency Triage is the prioritizing of incidents according to their level of importance or urgency.

Answer 888

Containment Containment is the act of limiting and preventing additional damage caused by an incident.

Answer 889

Apply a patch Complete a vulnerability scan Completing a vulnerability scan and applying patches are examples of eradication actions.

Answer 890

Create a final report. Identify areas for improvement and learning. Security teams create a final report and identify areas for improvement and learning during the Post-incident activity phase of the NIST Incident Response Lifecycle.

Answer 891

Executive summary The executive summary section of a final report contains a high-level overview of the security incident.

Answer 892

Identify areas of improvement Review and reflect on a security incident The goals of lessons learned meetings are for security teams to review and reflect on a security incident, and identify areas of improvement.

Answer 893

Post-incident activity phase In the NIST Incident Response Lifecycle, reviewing an incident to identify areas for improvement during incident handling is known as the Post-incident activity phase.

Answer 894

What could have been done differently? By asking what could have been done differently, the security team can identify areas of weakness in their incident response process, such as the lack of a backup and recovery plan.

Answer 895

Final report

Answer 896

preventing

Answer 897

Receive and assess, assign priority, collect and analyze

Answer 898

They use automation to execute tasks and response actions.

Answer 899

Custody log This record has to detail every person who touched/had access to the document, the dates and what they did with it.

Answer 900

Update regularly

Answer 901

Transparency

Answer 902

To provide a record of event details The primary purpose of logs during incident investigation is to provide a record of event details. Knowing what occurred on systems, networks, and devices helps security analysts identify unusual or malicious activity.

Answer 903

Authentication An authentication log would be most useful for this purpose. Authentication logs record login attempts, including whether a login was successful.

Answer 904

ALLOW ALLOW refers to the action that has been recorded. In this instance, it allows access to wikipedia.org.

Answer 905

Log analysis Log analysis is the process of examining logs to identify events of interest.

Answer 906

Event description Timestamp This log contains a timestamp 2022/12/20 08:20:38.921286 and a description of the event User nuhara logged in successfully.

Answer 907

Service Protocol Log format Syslog is a standard for logging and transmitting data and can be used as a protocol, service, or log format. Protocol: The syslog protocol is used to transport logs to a centralized log server for log management. It uses port 514 for plaintext logs and port 6514 for encrypted logs. Service: The syslog service acts as a log forwarding service that consolidates logs from multiple sources into a single location. The service works by receiving and then forwarding any syslog log entries to a remote server. Log format: The syslog log format is one of the most commonly used log formats that you will be focusing on. It is the native logging format used in Unix® systems. It consists of three components: a header, structured-data, and a message.

Answer 908

Common Event Format (CEF) eXtensible Markup Language (XML) JavaScript Object Notation (JSON) Common Event Format (CEF), JavaScript Object Notation (JSON), and eXtensible Markup Language (XML) are examples of different log formats.

Answer 909

eXtensible Markup Language (XML) XML is a log format that uses tags and other keys to structure data.

Answer 910

A signature A signature specifies the rules that an IDS uses to monitor activity. Signature analysis is one of the most common methods of detection used by IDS tools.

Answer 911

The first field specifies the action.

Answer 912

Network telemetry They are using network telemetry data. Network telemetry refers to the collection and transmission of network data for analysis, such as HTTP traffic. Signature-based refers to a type of detection method that is used to find events of interest using signatures.

Answer 913

A NIDS is installed on a network; a HIDS is installed on individual devices. A NIDS is installed on a network and is used to collect and monitor network traffic and network data. A HIDS is installed on a host and is used to monitor the activity of the host.

Answer 914

header The header component of an IDS signature includes network traffic information. This includes source and destination IP addresses, source and destination ports, protocols, and traffic direction. Rule options provide different options to customize signatures.

Answer 915

Flow They should use flow. The flow option matches the direction of network traffic flow.

Answer 916

Normalize Collect and process Index The SIEM process for data collection involves the following steps: collect and process, normalize, and index. Normalizing is the step that makes raw data easy to read and analyze. It processes the raw data so that it is formatted consistently, and only relevant event information is included.

Answer 917

Yes Specific queries improve the speed and relevance of SIEM search results.

Answer 918

Unified Data Model (UDM) Chronicle uses UDM to search through normalized data.

Answer 919

* In Search Processing Language (SPL), the * character is a wildcard which is a special character that can be substituted with any other character.

Answer 920

Raw Log Search Chronicle uses raw log search to search through unstructured logs.

Answer 921

Normalize data so it is ready to read and analyze Index data to improve search performance Collect and process data The SIEM process involves the following steps: collect and process data, normalize data, and index data. SIEM tools collect and process data that is generated by devices and systems from all over an environment.

Answer 922

SPL Splunk uses its own query language known as Search Processing Language (SPL).

Answer 923

Forwarder Log forwarders There are many ways SIEM tools can ingest log data. For instance, you can manually upload data or use software to help collect data for log ingestion. Manually uploading data may be inefficient and time-consuming because networks can contain thousands of systems and devices. Hence, it's easier to use software that helps collect data. A common way that organizations collect log data is to use log forwarders. Log forwarders are software that automate the process of collecting and sending log data. Some operating systems have native log forwarders. If you are using an operating system that does not have a native log forwarder, you would need to install a third-party log forwarding software on a device. After installing it, you'd configure the software to specify which logs to forward and where to send them. For example, you can configure the logs to be sent to a SIEM tool. The SIEM tool would then process and normalize the data. This allows the data to be easily searched, explored, correlated, and analyzed. Note: Many SIEM tools utilize their own proprietary log forwarders. SIEM tools can also integrate with open-source log forwarders. Choosing the right log forwarder depends on many factors such as the specific requirements of your system or organization, compatibility with your existing infrastructure, and more.

Answer 924

A log is a record of events that occur within an organization's systems. Log analysis is the process of examining logs to identify events of interest.

Answer 925

A NIDS collects and monitors network traffic and network data. A HIDS monitors the activity of the host on which it is installed.

Answer 926

Port number Protocol IP address

Answer 927

YARA-L Chronicle uses the YARA-L language to define rules for detection. It's a computer language used to create rules for searching through ingested log data. For example, you can use YARA-L to write a rule to detect specific activities related to the exfiltration of valuable data.

Answer 928

Network telemetry Alert Network telemetry collects network traffic data from devices on your network so that the data can be analyzed. Network telemetry lets security operations teams detect network-based threats and hunt for advanced adversaries, which is essential for autonomic security operations.

Answer 929

Normalize Normalize data: Event data that's been collected becomes normalized. Normalization converts data into a standard format so that data is structured in a consistent way and becomes easier to read and search. While data normalization is a common feature in many SIEM tools, it's important to note that SIEM tools vary in their data normalization capabilities.

Answer 930

Python programmers can find a lot of support online. Python programmers can follow standard guidelines. Python resembles human language and is easy to read. A security analyst might choose Python to automate tasks because they can find a lot of support online and follow standard guidelines. An analyst might also choose Python to automate tasks because it resembles human language and is easy to read.

Answer 931

Print authorized usernames Print authorized usernames is a Python comment. Comments are notes that programmers make about the intention behind their code, and they begin with the # symbol.

Answer 932

print("invalid username") The code print("invalid username") outputs the string "invalid username" to the screen. The print() function outputs the object specified inside the parentheses to the screen. To output a string, it must be placed in quotation marks.

Answer 933

This prints a "Try again" message print("Try again")

Answer 934

Python reduces manual effort. Python can combine separate tasks into one workstream. Python helps automate short, simple tasks. Python reduces the manual effort needed to perform common and repetitive tasks. It helps automate short, simple tasks and can combine separate tasks into one workstream.

Answer 935

Managing an access control list Addressing an unusual cybersecurity concern Analyzing network traffic A security analyst would most likely automate the following tasks with Python: sorting through a log file, managing an access control list, and analyzing network traffic. Python is most commonly used in cybersecurity to automate common and repetitive tasks.

Answer 936

Boolean The Boolean data type can only have a value of True or False. Boolean data is data that can only be one of two values: either True or False.

Answer 937

username = "jrafael" The code username = "jrafael" assigns the variable username a value of "jrafael". The syntax for assigning a variable requires a name for the variable, then an equals sign (=), and finally the value for the variable.

Answer 938

15.0 -2.11 15.0 and -2.11 are examples of float data. Float data is data consisting of a number with a decimal point.

Answer 939

username = ["elarson", "bmoreno", "tshah"] data_type = type(username) print(data_type) The type() function returns the data type of its input. In this case, that input is the username variable, which contains a list. This data type is assigned to the data_type variable and is displayed through the print() function.

Answer 940

List List is the data type of login_success. List data is a data structure that consists of a collection of data in sequential form. Lists are placed in brackets.

Answer 941

4 The output of the code is 4. This code initially assigns the value of failed_attempts to 3, but it then reassigns the value of this variable to 4 before printing it. The print() function is placed after this and displays this reassigned value of 4.

Answer 942

== The == operator evaluates whether two objects match and can be used in a condition to evaluate whether the value contained in a login_attempts variable matches a value of 5. This condition can be placed in an if statement header as if login_attempts == 5.

Answer 943

"You're logged in." The code will display "You're logged in." The condition in the if statement requires the ip_address variable to contain a value of "192.168.183.51". Because this condition evaluates to True, Python will perform the action specified in the body of the if statement. In this case, it displays the message "You're logged in." The action specified in the body of the else statement will only execute when the condition in the if statement evaluates to False, so it will not print "Login failed, try again."

Answer 944

if failed_logins >= 3: print("account locked") The following conditional statement prints the message "account locked" when the value of failed_logins is 3 or higher: if failed_logins >= 3: print("account locked") This condition checks if failed_logins is assigned a value that is greater than or equal to 3. The operator >= represents greater than or equal to. When this condition is met, the body prints the "account locked" message.

Answer 945

for i in range(3, 8): print(i) The following code prints all numbers from 3 to 7: for i in range(3, 8): print(i) The range() function generates a sequence of numbers. With range(3, 8), the sequence will start at 3 and end at 7. This is because the number in the first position, 3, is included in the sequence, but the number in the second position, 8, is excluded.

Answer 946

10 This code will print "security alert" ten times. This is because the count variable is assigned an initial value of 0. It then increments by 1 with each iteration of the loop until the condition instructs it to stop at 10.

Answer 947

Reducing the effort needed to manage an access control list Automating several tasks from a playbook into one workstream Automating how a log is read when responding to an incident

Answer 948

The line with print("Attempting connection") is not indented. The line with count = count + 1 is not indented.

Answer 949

"user1" "100"

Answer 950

username = "dtanaka"

Answer 951

Indicate that var2 contains list data

Answer 952

A colon (:) is missing at the end of the conditional header The operator should not be !=. It should be ==.

Answer 953

else: print("No updates needed")

Answer 954

Output the integers 0 and 5

Answer 955

count = count + 2

Answer 956

A section of code that can be reused in a program

Answer 957

def The def keyword is essential when defining a function. It is placed before a function name to define it.

Answer 958

def status_check(): A valid header for the function definition is def status_check():. Headers should include the def keyword, the name of the function followed by parentheses, and a colon (:).

Answer 959

def alert(): print("Security issue detected.") alert() When defining and then calling a function alert() that prints out the statement "Security issue detected.", the following block of code demonstrates correct indentation:

Answer 960

"bmoreno" In this code block, the component that is an argument is "bmoreno". Arguments are the data brought into a function when it is called.

Answer 961

def doubles(num): result = num * 2 return result The return keyword is used to return information from a function. It is placed before the information that you want to return. In this case, that is the result variable.

Answer 962

print(type("elarson")) The code print(type("elarson")) has correct syntax for printing the data type of the string "elarson". The inner function is processed first, and then its returned value is passed to the outer function. The argument "elarson" is first passed into the type() function. It returns its data type, and this is passed into the print() function.

Answer 963

def addition(num1, num2): The correct way to define the function addition() if it requires the two parameters num1 and num2 is def addition(num1, num2):. If a function requires multiple parameters, you should place them in parentheses and separate them with commas when defining the function.

Answer 964

arguments An argument is the data brought into a function when it is called. In this case, 5 and 12 are brought into the range() function when it is called. A parameter is an object that is included in a function definition for use in that function.

Answer 965

A module is a Python file that contains additional functions, variables, and other kinds of runnable code. A Python library is a collection of modules.

Answer 966

NumPy The NumPy library is not included in the Python Standard Library. It is an external library that must be downloaded.

Answer 967

PEP 8 The PEP 8 style guide is a resource that provides stylistic guidelines for programmers working in Python, including recommendations about comments. This includes guidelines such as making comments clear and keeping them up-to-date when code changes.

Answer 968

if username == "elarson": print("Welcome, elarson!") The body of a conditional statement, which is the print() function in this case, must be indented for the code to execute properly.

Answer 969

A Python file that contains additional functions, variables, and any kind of runnable code

Answer 970

type([55, 81, 17])

Answer 971

Making it easier for other programmers to understand your code Making your code more consistent

Answer 972

Functions that exist with Python and can be called directly

Answer 973

Keep them up-to-date. Make them clear.

Answer 974

ip_addresses = "192.168.140.81, 192.168.109.50, 192.168.243.140" print(ip_addresses.index("192.168.243.140")) 32

Answer 975

Strings are immutable. Strings must be placed in quotation marks (" "). Strings must be placed in quotation marks. Strings are also immutable. This means they cannot be changed after they are created and assigned a value.

Answer 976

"0kt" This code returns "0kt". It uses bracket notation to take a slice of the value contained in the device_id variable. Indices start at 0 in Python. It extracts the characters at indices 2, 3, and 4. The character at index 5 is excluded from the slice.

Answer 977

"tj1c58dakx" This code displays "tj1c58dakx". The .lower() method converts all uppercase characters into lowercase characters.

Answer 978

"LL" The code print("HELLO"[2:4]) outputs "LL". The first index in the slice is included in the output, but the second index in the slice is not included. This means the slice starts at the character at index 2 and ends one character before index 4.

Answer 979

"eraab" In the list ["elarson", "bmoreno", "tshah", "eraab"], the element "eraab" has an index of 3. In Python, indices start at 0, so the element that has an index of 3 is the fourth element.

Answer 980

["a", "b", 4, "d"] The code will display ["a", "b", 4, "d"]. It reassigns the my_list element at index 2. This is the third element in the list, so "c" is replaced by the integer 4.

Answer 981

machine_ids.insert(3,"yihhLL") The code machine_ids.insert(3,"yihhLL") will add the ID of "yihhLL" at index 3. The .insert() method adds an element in a specific position inside a list. It takes in two parameters. The first indicates the index where you want to add a new element, and the second indicates the element you want to add.

Answer 982

access_list.remove("tshah") The code access_list.remove("tshah") will remove the username "tshah" from the list. The .remove() method removes the first occurrence of a specific element in a list. It takes the element to be removed as its argument, so access_list.remove("tshah") removes the username "tshah".

Answer 983

An if statement that compares a username to the criteria for removal The .remove() method A for loop that iterates through the usernames in the access list The algorithm should iterate through the usernames in an access list. On each iteration, it should check whether the current username matches the specific criteria and remove it when it does. The .remove() method removes the first occurrence of the usernames that match the criteria.

Answer 984

"bkaaab" The string "bkaab" matches with the regular expression "b\wa+b". The first character must be "b". After this, the symbol \w is used to match any alphanumeric character, including "k". Next, the + symbol specifies that there should be one or more occurrences of the character it follows, which in this case is "a". Finally, the string must end with "b".

Answer 985

+ The symbol + represents one or more occurrences of a specific character.

Answer 986

"\w+a6v" The regular expression "\w+a6v" matches strings that consist of both numbers and alphabetic characters, are at least four characters long, and end with the sequence "a6v". There must be at least one other character before "a6v", so "\w+" is needed to match to one or more alphanumeric characters. Then, the required ending sequence is "a6v".

Answer 987

re.findall(pattern, text) The function call re.findall(pattern, text) enables you to do this. The re.findall() function returns a list of matches to a regular expression. You must specify that this function comes from the re module. The first argument is the regular expression pattern that you want to match. In this case, it is found in the variable pattern. The second argument indicates where to search for this pattern. In this case, this is the string assigned to the variable text.

Answer 988

"3" "FirstName" The strings "3" and "FirstName" match the regular expression pattern "\w+". The \w symbol matches with any alphanumeric character. When combined with the + symbol, it represents one or more occurrences of any alphanumeric character. Because "FirstName" is a string that contains multiple alphanumeric characters, it matches the regular expression.

Answer 989

print("HG91AB2".lower())

Answer 990

"7x43" employee_id = "w237x430y567" print(employee_id[3:7])

Answer 991

users = new_users + approved_users

Answer 992

my_list.insert(4,5) my_list = [1,2,3,4] my_list.insert(4,5) print(my_list)

Answer 993

re.findall("r15\w+", device_ids)

Answer 994

"network" "9210" "email123" import re hi = """network", "email@email.com", "9210", "email123""" print(re.findall("\w+",hi))

Answer 995

Whether login attempts occurred from IP addresses that are not established work zones Whether several failed login attempts occurred within a short span of time Whether login attempts occurred outside of normal work hours Using automated Python programs, you can track whether several failed login attempts occurred within a short span of time, whether login attempts occurred outside of normal work hours, and whether login attempts occurred from IP addresses that are not established work zones. In all of these cases, you can obtain the data needed for Python automation.

Answer 996

.csv .txt Common file formats for security logs include .txt and .csv. Both file formats are types of text files, meaning they only contain plain text. It is easy to extract data from .txt and .csv files.

Answer 997

for loops Python for loops contribute to automation by allowing you to perform the same action a certain number of times based on a sequence.

Answer 998

Cybersecurity-related information is often found in log files. Knowing how to work with files is important for automation because cybersecurity-related information is often found in log files.

Answer 999

Open the "ip_addresses.txt" file in order to read it Store the file object in the file variable while inside the with statement The line of code with open("ip_addresses.txt", "r") as file: instructs Python to open the "ip_addresses.txt" file in order to read it ("r"). It also instructs Python to store the file object in the file variable while inside the with statement.

Answer 1000

Assign `import_file` to the name of the text file that contains the security log file import_file = "login.txt" First line of the `with` statement # Use `open()` to import security log file and store it as a string with open("login.txt", "r") as file: file.text = file.read() print(file.text.split())

Answer 1001

with open("logs.txt", "r") as file: The code with open("logs.txt", "r") as file: is the correct line of code to do this. The with keyword ensures all resources are released while opening and reading the file. This includes ensuring the file is closed after exiting the with statement. Then, calling the open() function with the file "logs.txt" and "r" as arguments indicates to read the "logs.txt" file. Finally, as file specifies to store the file object in the variable file.

Answer 1002

login_attempts = login_file.read() The code login_attempts = login_file.read() reads the log file and stores it in a variable called login_attempts. The .read() method converts files into strings. The code assigns the string it creates to another variable named login_attempts.

Answer 1003

ip_addresses = file.split() The code ip_addresses = file.split() separates the individual IP addresses in the file variable and then stores this as a list in a variable called ip_addresses. The .split() method converts a string into a list. It separates the string based on a character passed into the function as an argument. If a character is not passed in, it will separate the string whenever it encounters a whitespace.

Answer 1004

A for loop that iterates through the list of timestamps An if statement that checks if the login timestamp occurred at unusual hours The code should include a for loop that iterates through the list of timestamps and an if statement that checks if the login timestamp occurred at unusual hours.

Answer 1005

Misspelling the Python keyword elif by typing elsif instead Omitting the colon at the end of an iterative statement header Omitting the colon at the end of an iterative statement header and misspelling the Python keyword elif by typing elsif instead are two examples of syntax errors. Syntax errors involve invalid usage of the Python language.

Answer 1006

Change the keyword elsif to elif. When you run this code, the error message can help you identify the syntax error and the line number where it occurs. Changing the keyword elsif to elif will fix the error. Syntax errors involve invalid usage of the Python language, such as misspelling a keyword. The correct spelling for the keyword needed before the condition operating_system == "OS 2" is elif.

Answer 1007

Logic errors Exceptions Syntax errors Syntax errors, logic errors, and exceptions are all types of errors you might encounter while debugging code. Syntax errors involve invalid usage of the Python language. Logic errors may not cause error messages, but they produce unintended results. Exceptions happen when the program does not know how to execute code even though it is syntactically correct.

Answer 1008

Logic error This is a logic error. Logic errors are errors that result when the logic used in code produces unintended results. In this situation, because the security incident ticket is forwarded to the wrong team, there is an unintended result.

Answer 1009

Exception This is an exception. Exceptions occur when Python does not know how to execute code even though it is syntactically correct. This happens if you ask Python to access an index that does not exist.

Answer 1010

Debugging The practice of identifying and fixing errors in code

Answer 1011

A missing colon (:) def search_list(username): for item in username: print(item) search_list(["elarson", "bmoreno", "tshah"])

Answer 1012

Remove the quotation marks surrounding the argument "first_name" when calling welcome_user()

Answer 1013

Use a debugger Add print statements

Answer 1014

It opens a file called "logs.txt" in read mode and stores it in a variable called file.

Answer 1015

usernames = file_text.split()

Answer 1016

Reads the old_format variable, which contains a file, and stores it as a string in new_format

Answer 1017

A split() function to split the login information into a list A for loop to iterate through all items in the logins list An if statement to check if a login attempt failed

Answer 1018

Evaluate risks and identify potential system breaches Recognize what they are defending A security mindset enables an analyst to recognize what they are defending. It also helps them evaluate risks and identify potential system breaches.

Answer 1019

Guest Wi-Fi network A guest Wi-Fi network is an asset that would have the least impact on an organization if it were compromised because an organization’s business operations would experience little to no impact.

Answer 1020

By researching the latest security vulnerabilities Security analysts can cultivate a security mindset by researching the latest security vulnerabilities. Staying updated about threats and vulnerabilities can help analysts take the necessary actions to prevent potential attacks from happening.

Answer 1021

Reporting suspicious emails Exercising suspicion before opening email attachments Exercising suspicion before opening email attachments and reporting suspicious emails are examples of the use of a security mindset. A security mindset can help you identify and reduce security risks and potential incidents.

Answer 1022

Both events should be escalated. Both events should be escalated to a supervisor. There are no issues that are too small or too big. It’s always best to err on the side of caution and report events to the appropriate team members.

Answer 1023

Sensitive financial data Customers’ usernames and passwords Sensitive financial data and customers' usernames and passwords are examples of data and assets that stakeholders are most interested in protecting.

Answer 1024

security incident When a security event results in a data breach, it is categorized as a security incident. However, if the event is resolved without resulting in a breach, it is not considered an incident.

Answer 1025

Financial consequences Data protection Loss of assets Operational downtime, financial consequences, and loss of assets are examples of the potential impact of a security incident involving malicious code.

Answer 1026

ability to evaluate risk and constantly seek out and identify the potential or actual breach of a system, application, or data

Answer 1027

malicious software designed to disrupt a system infiltrates an organization's computers or network

Answer 1028

an employee of an organization violates the organization’s acceptable use policies

Answer 1029

Improper usage incidents should always be escalated out of caution.

Answer 1030

an individual gains digital or physical access to a system, data, or an application without permission

Answer 1031

True Not all security incidents should be equally prioritized. Incidents that impact assets essential to business operations should take priority over other incidents.

Answer 1032

The organization's manufacturing network is compromised A manufacturing network is a major part of an organization’s business operations. If it is compromised, it can lead to major financial loss.

Answer 1033

escalation policy An escalation policy is a set of actions that outlines who should be notified when an incident alert occurs and how that incident should be handled.

Answer 1034

Improper usage The improper usage incident classification type occurs when an employee violates the organization’s acceptable use policy.

Answer 1035

They should have a clear purpose They should be precise They should avoid unnecessary jargon Communications with stakeholders should be precise, avoid unnecessary technical terms, and have a clear purpose.

Answer 1036

sensitive Information that is communicated to stakeholders is sensitive. It is important to be cautious when exchanging emails with stakeholders. Always make sure you are sending emails to the correct address.

Answer 1037

Ask stakeholders questions about the data and assets they are responsible for protecting. Asking stakeholders questions about the data and assets they are responsible for protecting is a great way to learn what matters most to them. Directly asking the stakeholders what data and assets they are responsible for protecting gives more personal insight into their technological needs and prompts a more immediate response from them.